diff -urN linux-2.4.20/Documentation/Configure.help linux-2.4.20/Documentation/Configure.help --- linux-2.4.20/Documentation/Configure.help 2002-11-28 18:53:08.000000000 -0500 +++ linux-2.4.20/Documentation/Configure.help 2003-02-12 23:36:37.000000000 -0500 @@ -2569,6 +2569,20 @@ If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. +stealth networking support +CONFIG_IP_NF_MATCH_STEALTH + Enabling this option will drop all syn packets coming to unserved tcp + ports as well as all packets coming to unserved udp ports. If you + are using your system to route any type of packets (ie. via NAT) + you should put this module at the end of your ruleset, since it will + drop packets that aren't going to ports that are listening on your + machine itself, it doesn't take into account that the packet might be + destined for someone on your internal network if you're using NAT for + instance. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. + MAC address match support CONFIG_IP_NF_MATCH_MAC MAC matching allows you to match packets based on the source @@ -21427,6 +21441,813 @@ "Area6" will work for most boards. For ADX, select "Area5". +Grsecurity +CONFIG_GRKERNSEC + If you say Y here, you will be able to configure many features that + will enhance the security of your system. It is highly recommended + that you say Y here and read through the help for each option so + you fully understand the features and can evaluate their usefulness + for your machine. + +Additional security levels +CONFIG_GRKERNSEC_LOW + + Low additional security + ----------------------------------------------------------------------- + If you choose this option, several of the grsecurity options will + be enabled that will give you greater protection against a number + of attacks, while assuring that none of your software will have any + conflicts with the additional security measures. If you run a lot of + unusual software, or you are having problems with the higher security + levels, you should say Y here. With this option, the following features + are enabled: + + linking restrictions + fifo restrictions + random pids + enforcing nproc on execve() + restricted dmesg + random ip ids + enforced chdir("/") on chroot + + Medium additional security + ----------------------------------------------------------------------- + If you say Y here, several features in addition to those included in the + low additional security level will be enabled. These features provide + even more security to your system, though in rare cases they may + be incompatible with very old or poorly written software. If you + enable this option, make sure that your auth service (identd) is + running as gid 10 (usually group wheel). With this option the following + features (in addition to those provided in the low additional security + level) will be enabled: + + random tcp source ports + altered ping ids + failed fork logging + time change logging + signal logging + deny mounts in chroot + deny double chrooting + deny sysctl writes in chroot + deny mknod in chroot + deny access to abstract AF_UNIX sockets out of chroot + deny pivot_root in chroot + denied writes of /dev/kmem, /dev/mem, and /dev/port + /proc restrictions with special gid set to 10 (usually wheel) + address space layout randomization + + High additional security + ---------------------------------------------------------------------- + If you say Y here, many of the features of grsecurity will be enabled, + that will protect you against virtually all kinds of attacks against + your system. The much hightened security comes at a cost of an + increased chance of incompatabilities with rare software on your + machine. It is highly recommended that you view + and read about each option. Since + this security level enabled PaX, you should also view + and read about the PaX project. While + you are there, download chpax.c and run chpax -p on binaries that cause + problems with PaX. Also remember that since the /proc restrictions are + enabled, you must run your identd as group wheel (gid 10). + This security level enables the following features in addition to those + listed in the low and medium security levels: + + additional /proc restrictions + chmod restrictions in chroot + no signals, ptrace, or viewing processes outside of chroot + capability restrictions in chroot + deny fchdir out of chroot + priority restrictions in chroot + segmentation-based implementation of PaX + mprotect restrictions + removal of /proc//[maps|mem] + kernel stack randomization + mount/unmount/remount logging + + +Customized additional security +CONFIG_GRKERNSEC_CUSTOM + If you say Y here, you will be able to configure every grsecurity + option, which allows you to enable many more features that aren't + covered in the basic security levels. These additional features include + TPE, socket restrictions, and the sysctl system for grsecurity. It is + advised that you read through the help for each option to determine its + usefulness in your situation. + +Enforce non-executable pages +CONFIG_GRKERNSEC_PAX_NOEXEC + By design the IA-32 architecture does not allow for protecting + memory pages against execution, i.e. if a page is readable (such + as the stack or heap) it is also executable. There is a well + known exploit technique that makes use of this fact and a common + programming mistake where an attacker can introduce executable + code of his choice somewhere in the attacked program's memory + (typically the stack or the heap) and then execute it. If the + attacked program was running with different (typically higher) + privileges than that of the attacker, then he can elevate his + own privilege level (e.g. get a root shell, write to files for + which he does not have write access to, etc). + + There are two implementations provided here, each with its own + impact on performance and usability. You should enable at least + one of them to enforce the non-executable flag on memory pages + thereby making it harder to execute 'foreign' code in a program. + + This will also break programs that rely on the old behaviour and + expect that dynamically allocated memory via the malloc() family + of functions is executable (which it is not). Notable examples + are the XFree86 4.x server, the java runtime and wine. + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. chpax is available at + + +Paging based non-executable pages +CONFIG_GRKERNSEC_PAX_PAGEEXEC + This implementation is based on the paging feature of the CPU + and has a variable performance impact on applications depending + on their memory usage pattern. You should carefully evaluate + your applications before using this feature in production. + +Segmentation based non-executable pages +CONFIG_GRKERNSEC_PAX_SEGMEXEC + This implementation is based on the segmentation feature of the + CPU and has little performance impact, however applications will + be limited to a 1.5 GB address space instead of the normal 3 GB. + +Emulate trampolines +CONFIG_GRKERNSEC_PAX_EMUTRAMP + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from + non-executable memory pages. Most notable examples are the + signal handler return code generated by the kernel itself and + the GCC trampolines. + + If you enabled CONFIG_GRKERNSEC_PAX_PAGEEXEC or + CONFIG_GRKERNSEC_PAX_SEGMEXEC then such programs will no longer + work under your kernel. + + As a remedy you can say Y here and use the 'chpax' utility to + enable trampoline emulation for the affected programs yet still + have the protection provided by the non-executable pages. + + Alternatively you can say N here and use the 'chpax' utility + to disable CONFIG_GRKERNSEC_PAX_PAGEEXEC and + CONFIG_GRKERNSEC_PAX_SEGMEXEC for the affected files. + + NOTE: enabling this feature *may* open up a loophole in the + protection provided by non-executable pages that an attacker + could abuse. Therefore the best solution is to not have any + files on your system that would require this option. This can + be achieved by not using libc5 (which relies on the kernel + signal handler return code) and not using or rewriting programs + that make use of the nested function implementation of GCC. + Skilled users can just fix GCC itself so that it implements + nested function calls in a way that does not interfere with PaX. + +Automatically emulate sigreturn trampolines +CONFIG_GRKERNSEC_PAX_EMUSIGRT + Enabling this option will have the kernel automatically detect + and emulate signal return trampolines executing on the stack + that would otherwise lead to task termination. + + This solution is intended as a temporary one for users with + legacy versions of libc (libc5, glibc 2.0, uClibc, Modula-3 + runtime, etc) or executables linked to such, basically everything + that does not specify its own SA_RESTORER function in normal + executable memory like glibc 2.1+ does. + + NOTE: this feature cannot be disabled on a per executable basis + and since it *does* open up a loophole in the protection provided + by non-executable pages, the best solution is to not have any + files on your system that would require this option. + +Restrict mprotect() +CONFIG_GRKERNSEC_PAX_MPROTECT + Enabling this option will prevent programs from + - changing the executable status of memory pages that were + not originally created as executable, + - making read-only executable pages writable again, + - creating executable pages from anonymous memory. + + You should say Y here to complete the protection provided by + the enforcement of non-executable pages. + + NOTE: you can use the 'chpax' utility to control this + feature on a per file basis. chpax is available at + + +Disallow ELF text relocations +CONFIG_GRKERNSEC_PAX_NOELFRELOCS + Non-executable pages and mprotect() restrictions are effective + in preventing the introduction of new executable code into an + attacked task's address space. There remain only two venues + for this kind of attack: if the attacker can execute already + existing code in the attacked task then he can either have it + create and mmap() a file containing his code or have it mmap() + an already existing ELF library that does not have position + independent code in it and use mprotect() on it to make it + writable and copy his code there. While protecting against + the former approach is beyond PaX, the latter can be prevented + by having only PIC ELF libraries on one's system (which do not + need to relocate their code). If you are sure this is your case, + then enable this option otherwise be careful as you may not even + be able to boot or log on your system (for example, some PAM + modules are erroneously compiled as non-PIC by default). + + NOTE: if you are using dymamic ELF executables (as suggested + when using ASLR) then you must have made sure that you linked + your files using the PIC version of crt1 (the et_dyn.zip package + referenced there has already been updated to support this). + +Address Space Layout Randomization +CONFIG_GRKERNSEC_PAX_ASLR + Many if not most exploit techniques rely on the knowledge of + certain addresses in the attacked program. The following options + will allow the kernel to apply a certain amount of randomization + to specific parts of the program thereby forcing an attacker to + guess them in most cases. Any failed guess will most likely crash + the attacked program which allows the kernel to detect such attempts + and react on them. PaX itself provides no reaction mechanisms, + instead it is strongly encouraged that you make use of grsecurity's + built-in crash detection features or develop one yourself. + + By saying Y here you can choose to randomize the following areas: + - top of the task's kernel stack + - top of the task's userland stack + - base address for mmap() requests that do not specify one + (this includes all libraries) + - base address of the main executable + + It is strongly recommended to say Y here as address space layout + randomization has negligible impact on performance yet it provides + a very effective protection. + + NOTE: you can use the 'chpax' utility to control most of these features + on a per file basis. + +Randomize kernel stack base +CONFIG_GRKERNSEC_PAX_RANDKSTACK + By saying Y here the kernel will randomize every task's kernel + stack on every system call. This will not only force an attacker + to guess it but also prevent him from making use of possible + leaked information about it. + + Since the kernel stack is a rather scarce resource, randomization + may cause unexpected stack overflows, therefore you should very + carefully test your system. Note that once enabled in the kernel + configuration, this feature cannot be disabled on a per file basis. + +Randomize user stack base +CONFIG_GRKERNSEC_PAX_RANDUSTACK + By saying Y here the kernel will randomize every task's userland + stack. The randomization is done in two steps where the second + one may apply a big amount of shift to the top of the stack and + cause problems for programs that want to use lots of memory (more + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is). + For this reason the second step can be controlled by 'chpax' on + a per file basis. + +Randomize ET_EXEC base +CONFIG_GRKERNSEC_PAX_RANDEXEC + By saying Y here the kernel will randomize the base address of normal + ET_EXEC ELF executables as well. This is accomplished by mapping the + executable in memory in a special way which also allows for detecting + attackers who attempt to execute its code for their purposes. Since + this special mapping causes performance degradation and the attack + detection may create false alarms as well, you should carefully test + your executables when this feature is enabled. + + This solution is intended only as a temporary one until you relink + your programs as a dynamic ELF file. + + NOTE: you can use the 'chpax' utility to control this feature + on a per file basis. + +Randomize mmap() base +CONFIG_GRKERNSEC_PAX_RANDMMAP + By saying Y here the kernel will use a randomized base address for + mmap() requests that do not specify one themselves. As a result + all dynamically loaded libraries will appear at random addresses + and therefore be harder to exploit by a technique where an attacker + attempts to execute library code for his purposes (e.g. spawn a + shell from an exploited program that is running at an elevated + privilege level). + + Furthermore, if a program is relinked as a dynamic ELF file, its + base address will be randomized as well, completing the full + randomization of the address space layout. Attacking such programs + becomes a guess game. You can find an example of doing this at + and practical samples at + . + + NOTE: you can use the 'chpax' utility to control this feature + on a per file basis. + +Deny writing to /dev/kmem, /dev/mem, and /dev/port +CONFIG_GRKERNSEC_KMEM + If you say Y here, /dev/kmem and /dev/mem won't be allowed to + be written to via mmap or otherwise to modify the running kernel. + /dev/port will also not be allowed to be opened. If you have module + support disabled, enabling this will close up four ways that are + currently used to insert malicious code into the running kernel. + Even with all these features enabled, we still highly recommend that + you use the ACL system, as it is still possible for an attacker to + modify the running kernel through privileged I/O granted by ioperm/iopl. + If you are not using XFree86, you may be able to stop this additional + case by enabling the 'Disable privileged I/O' option. Though nothing + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem, + but only to video memory, which is the only writing we allow in this + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will + not be allowed to mprotect it with PROT_WRITE later. + Enabling this feature could make certain apps like VMWare stop working, + as they need to write to other locations in /dev/mem. + It is highly recommended that you say Y here. + +Disable privileged I/O +CONFIG_GRKERNSEC_IO + If you say Y here, all ioperm and iopl calls will return an error. + Ioperm and iopl can be used to modify the running kernel. + Unfortunately, some problems need this access to operate properly, + the most notable of which are XFree86 and hwclock. hwclock can be + remedied by having RTC support in the kernel, so CONFIG_RTC is + enabled if this option is enabled, to ensure that hwclock operates + correctly. XFree86 still will not operate correctly with this option + enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86 + and you still want to protect your kernel against modification, + use the ACL system. + +Proc Restrictions +CONFIG_GRKERNSEC_PROC + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. Depending + upon the options you choose, you can either restrict users to see + only the processes they themselves run, or choose a group that can + view all processes and files normally restricted to root if you choose + the "restrict to user only" option. NOTE: If you're running identd as + a non-root user, you will have to run it as the group you specify here. + +Restrict /proc to user only +CONFIG_GRKERNSEC_PROC_USER + If you say Y here, non-root users will only be able to view their own + processes, and restricts them from viewing network-related information, + and viewing kernel symbol and module information. + +Restrict /proc to user and group +CONFIG_GRKERNSEC_PROC_USERGROUP + If you say Y here, you will be able to select a group that will be + able to view all processes, network-related information, and + kernel and symbol information. This option is useful if you want + to run identd as a non-root user. + +Remove addresses from /proc/pid/maps +CONFIG_GRKERNSEC_PROC_MEMMAP + If you say Y here, the /proc//maps file will + give no information about the addresses of its mappings if + PaX features that rely on random addresses are enabled on the task. + If you use PaX it is greatly recommended that you say Y here as it + closes up a hole that makes the full ASLR useless for suid + binaries. + +Additional proc restrictions +CONFIG_GRKERNSEC_PROC_ADD + If you say Y here, additional restrictions will be placed on + /proc that keep normal users from viewing cpu and device information. + +Dmesg(8) Restriction +CONFIG_GRKERNSEC_DMESG + If you say Y here, non-root users will not be able to use dmesg(8) + to view up to the last 4kb of messages in the kernel's log buffer. + If the sysctl option is enabled, a sysctl option with name "dmesg" is + created. + +Linking restrictions +CONFIG_GRKERNSEC_LINK + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in + world-writeable +t directories (i.e. /tmp), unless the owner of the + symlink is the owner of the directory. users will also not be + able to hardlink to files they do not own. If the sysctl option is + enabled, a sysctl option with name "linking_restrictions" is created. + +FIFO restrictions +CONFIG_GRKERNSEC_FIFO + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writeable +t directories (i.e. /tmp), unless the owner of + the FIFO is the same owner of the directory it's held in. If the sysctl + option is enabled, a sysctl option with name "fifo_restrictions" is + created. + +Exec process limiting +CONFIG_GRKERNSEC_EXECVE + If you say Y here, users with a resource limit on processes will + have the value checked during execve() calls. The current system + only checks the system limit during fork() calls. If the sysctl option + is enabled, a sysctl option with name "execve_limiting" is created. + +Single group for auditing +CONFIG_GRKERNSEC_AUDIT_GROUP + If you say Y here, the exec, chdir, (un)mount, and ipc logging features + will only operate on a group you specify. This option is recommended + if you only want to watch certain users instead of having a large + amount of logs from the entire system. If the sysctl option is enabled, + a sysctl option with name "audit_group" is created. + +GID for auditing +CONFIG_GRKERNSEC_AUDIT_GID + Here you can choose the GID that will be the target of kernel auditing. + Remember to add the users you want to log to the GID specified here. + If the sysctl option is enabled, whatever you choose here won't matter. + You'll have to specify the GID in your bootup script by echoing the GID + to the proper /proc entry. View the help on the sysctl option for more + information. If the sysctl option is enabled, a sysctl option with name + "audit_gid" is created. + +Chdir logging +CONFIG_GRKERNSEC_AUDIT_CHDIR + If you say Y here, all chdir() calls will be logged. If the sysctl + option is enabled, a sysctl option with name "audit_chdir" is created. + +(Un)Mount logging +CONFIG_GRKERNSEC_AUDIT_MOUNT + If you say Y here, all mounts and unmounts will be logged. If the + sysctl option is enabled, a sysctl option with name "audit_mount" is + created. + +IPC logging +CONFIG_GRKERNSEC_AUDIT_IPC + If you say Y here, creation and removal of message queues, semaphores, + and shared memory will be logged. If the sysctl option is enabled, a + sysctl option with name "audit_ipc" is created. + +Exec logging +CONFIG_GRKERNSEC_EXECLOG + If you say Y here, all execve() calls will be logged (since the + other exec*() calls are frontends to execve(), all execution + will be logged). Useful for shell-servers that like to keep track + of their users. If the sysctl option is enabled, a sysctl option with + name "exec_logging" is created. + WARNING: This option when enabled will produce a LOT of logs, especially + on an active system. + +Resource logging +CONFIG_GRKERNSEC_RESLOG + If you say Y here, all attempts to overstep resource limits will + be logged with the resource name, the requested size, and the current + limit. It is highly recommended that you say Y here. + +Signal logging +CONFIG_GRKERNSEC_SIGNAL + If you say Y here, certain important signals will be logged, such as + SIGSEGV, which will as a result inform you of when a error in a program + occurred, which in some cases could mean a possible exploit attempt. + If the sysctl option is enabled, a sysctl option with name + "signal_logging" is created. + +Fork failure logging +CONFIG_GRKERNSEC_FORKFAIL + If you say Y here, all failed fork() attempts will be logged. + This could suggest a fork bomb, or someone attempting to overstep + their process limit. If the sysctl option is enabled, a sysctl option + with name "forkfail_logging" is created. + +Time change logging +CONFIG_GRKERNSEC_TIME + If you say Y here, any changes of the system clock will be logged. + If the sysctl option is enabled, a sysctl option with name + "timechange_logging" is created. + +Chroot jail restrictions +CONFIG_GRKERNSEC_CHROOT + If you say Y here, you will be able to choose several options that will + make breaking out of a chrooted jail much more difficult. If you + encounter no software incompatibilities with the following options, it + is recommended that you enable each one. + +Deny access to abstract AF_UNIX sockets out of chroot +CONFIG_GRKERNSEC_CHROOT_UNIX + If you say Y here, processes inside a chroot will not be able to + connect to abstract (meaning not belonging to a filesystem) Unix + domain sockets that were bound outside of a chroot. It is recommended + that you say Y here. If the sysctl option is enabled, a sysctl option + with name "chroot_deny_unix" is created. + +Deny shmat() out of chroot +CONFIG_GRKERNSEC_CHROOT_SHMAT + If you say Y here, processes inside a chroot will not be able to attach + to shared memory segments that were created outside of the chroot jail. + It is recommended that you say Y here. If the sysctl option is enabled, + a sysctl option with name "chroot_deny_shmat" is created. + +Protect outside processes +CONFIG_GRKERNSEC_CHROOT_FINDTASK + If you say Y here, processes inside a chroot will not be able to + kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, + getsid, or view any process outside of the chroot. If the sysctl + option is enabled, a sysctl option with name "chroot_findtask" is + created. + +Deny mounts in chroot +CONFIG_GRKERNSEC_CHROOT_MOUNT + If you say Y here, processes inside a chroot will not be able to + mount or remount filesystems. If the sysctl option is enabled, a + sysctl option with name "chroot_deny_mount" is created. + +Deny pivot_root in chroot +CONFIG_GRKERNSEC_CHROOT_PIVOT + If you say Y here, processes inside a chroot will not be able to use + a function called pivot_root() that was introduced in Linux 2.3.41. It + works similar to chroot in that it changes the root filesystem. This + function could be misused in a chrooted process to attempt to break out + of the chroot, and therefore should not be allowed. If the sysctl + option is enabled, a sysctl option with name "chroot_deny_pivot" is + created. + +Deny double-chroots +CONFIG_GRKERNSEC_CHROOT_DOUBLE + If you say Y here, processes inside a chroot will not be able to chroot + again. This is a widely used method of breaking out of a chroot jail + and should not be allowed. If the sysctl option is enabled, a sysctl + option with name "chroot_deny_chroot" is created. + +Deny fchdir outside of chroot +CONFIG_GRKERNSEC_CHROOT_FCHDIR + If you say Y here, a well-known method of breaking chroots by fchdir'ing + to a file descriptor of the chrooting process that points to a directory + outside the filesystem will be stopped. If the sysctl option + is enabled, a sysctl option with name "chroot_deny_fchdir" is created. + +Enforce chdir("/") on all chroots +CONFIG_GRKERNSEC_CHROOT_CHDIR + If you say Y here, the current working directory of all newly-chrooted + applications will be set to the the root directory of the chroot. + The man page on chroot(2) states: + Note that this call does not change the current working + directory, so that `.' can be outside the tree rooted at + `/'. In particular, the super-user can escape from a + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. + + It is recommended that you say Y here, since it's not known to break + any software. If the sysctl option is enabled, a sysctl option with + name "chroot_enforce_chdir" is created. + +Deny (f)chmod +s in chroot +CONFIG_GRKERNSEC_CHROOT_CHMOD + If you say Y here, processes inside a chroot will not be able to chmod + or fchmod files to make them have suid or sgid bits. This protects + against another published method of breaking a chroot. If the sysctl + option is enabled, a sysctl option with name "chroot_deny_chmod" is + created. + +Deny mknod in chroot +CONFIG_GRKERNSEC_CHROOT_MKNOD + If you say Y here, processes inside a chroot will not be allowed to + mknod. The problem with using mknod inside a chroot is that it + would allow an attacker to create a device entry that is the same + as one on the physical root of your system, which could range from + anyhing from the console device to a device for your harddrive (which + they could then use to wipe the drive or steal data). It is recommended + that you say Y here, unless you run into software incompatibilities. + If the sysctl option is enabled, a sysctl option with name + "chroot_deny_mknod" is created. + +Restrict priority changes in chroot +CONFIG_GRKERNSEC_CHROOT_NICE + If you say Y here, processes inside a chroot will not be able to raise + the priority of processes in the chroot, or alter the priority of + processes outside the chroot. This provides more security than simply + removing CAP_SYS_NICE from the process' capability set. If the + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" + is created. + +Log all execs within chroot +CONFIG_GRKERNSEC_CHROOT_EXECLOG + If you say Y here, all executions inside a chroot jail will be logged + to syslog. This can cause a large amount of logs if certain + applications (eg. djb's daemontools) are installed on the system, and + is therefore left as an option. If the sysctl option is enabled, a + sysctl option with name "chroot_execlog" is created. + +Deny sysctl writes in chroot +CONFIG_GRKERNSEC_CHROOT_SYSCTL + If you say Y here, an attacker in a chroot will not be able to + write to sysctl entries, either by sysctl(2) or through a /proc + interface. It is strongly recommended that you say Y here. If the + sysctl option is enabled, a sysctl option with name + "chroot_deny_sysctl" is created. + +Chroot jail capability restrictions +CONFIG_GRKERNSEC_CHROOT_CAPS + If you say Y here, the capabilities on all root processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, rebooting the system, modifying immutable + files, modifying IPC owned by another, and changing the system time. + This is left an option because it can break some apps. Disable this + if your chrooted apps are having problems performing those kinds of + tasks. If the sysctl option is enabled, a sysctl option with + name "chroot_caps" is created. + +Trusted path execution +CONFIG_GRKERNSEC_TPE + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." + These users will not be able to execute any files that are not in + root-owned directories writeable only by root. If the sysctl option + is enabled, a sysctl option with name "tpe" is created. + +Group for trusted path execution +CONFIG_GRKERNSEC_TPE_GID + Here you can choose the GID to enable trusted path protection for. + Remember to add the users you want protection enabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "tpe_gid" is created. + +Partially restrict non-root users +CONFIG_GRKERNSEC_TPE_ALL + If you say Y here, All non-root users other than the ones in the + group specified in the main TPE option will only be allowed to + execute files in directories they own that are not group or + world-writeable, or in directories owned by root and writeable only by + root. If the sysctl option is enabled, a sysctl option with name + "tpe_restrict_all" is created. + +Randomized PIDs +CONFIG_GRKERNSEC_RANDPID + If you say Y here, all PIDs created on the system will be + pseudo-randomly generated. This is extremely effective along + with the /proc restrictions to disallow an attacker from guessing + pids of daemons, etc. PIDs are also used in some cases as part + of a naming system for temporary files, so this option would keep + those filenames from being predicted as well. We also use code + to make sure that PID numbers aren't reused too soon. If the sysctl + option is enabled, a sysctl option with name "rand_pids" is created. + +Larger entropy pools +CONFIG_GRKERNSEC_RANDNET + If you say Y here, the entropy pools used for many features of Linux + and grsecurity will be doubled in size. Since several grsecurity + features use additional randomness, it is recommended that you say Y + here. Saying Y here has a similar effect as modifying + /proc/sys/kernel/random/poolsize. + +Truly random TCP ISN selection +CONFIG_GRKERNSEC_RANDISN + If you say Y here, Linux's default selection of TCP Initial Sequence + Numbers (ISNs) will be replaced with that of OpenBSD. Linux uses + an MD4 hash based on the connection plus a time value to create the + ISN, while OpenBSD's selection is random. If the sysctl option is + enabled, a sysctl option with name "rand_isns" is created. + +Randomized IP IDs +CONFIG_GRKERNSEC_RANDID + If you say Y here, all the id field on all outgoing packets + will be randomized. This hinders os fingerprinters and + keeps your machine from being used as a bounce for an untraceable + portscan. Ids are used for fragmented packets, fragments belonging + to the same packet have the same id. By default linux only + increments the id value on each packet sent to an individual host. + We use a port of the OpenBSD random ip id code to achieve the + randomness, while keeping the possibility of id duplicates to + near none. If the sysctl option is enabled, a sysctl option with name + "rand_ip_ids" is created. + +Randomized TCP source ports +CONFIG_GRKERNSEC_RANDSRC + If you say Y here, situations where a source port is generated on the + fly for the TCP protocol (ie. with connect() ) will be altered so that + the source port is generated at random, instead of a simple incrementing + algorithm. If the sysctl option is enabled, a sysctl option with name + "rand_tcp_src_ports" is created. + +Randomized RPC XIDs +CONFIG_GRKERNSEC_RANDRPC + If you say Y here, the method of determining XIDs for RPC requests will + be randomized, instead of using linux's default behavior of simply + incrementing the XID. If you want your RPC connections to be more + secure, say Y here. If the sysctl option is enabled, a sysctl option + with name "rand_rpc" is created. + +Altered Ping IDs +CONFIG_GRKERNSEC_RANDPING + If you say Y here, the way Linux handles echo replies will be changed + so that the reply uses an ID equal to the ID of the echo request. + This will help in confusing OS detection. If the sysctl option is + enabled, a sysctl option with name "altered_pings" is created. + +Socket restrictions +CONFIG_GRKERNSEC_SOCKET + If you say Y here, you will be able to choose from several options. + If you assign a GID on your system and add it to the supplementary + groups of users you want to restrict socket access to, this patch + will perform up to three things, based on the option(s) you choose. + +Deny all socket access +CONFIG_GRKERNSEC_SOCKET_ALL + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine or run server + applications from your machine. If the sysctl option is enabled, a + sysctl option with name "socket_all" is created. + +Group for disabled socket access +CONFIG_GRKERNSEC_SOCKET_ALL_GID + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_all_gid" is created. + +Deny all client socket access +CONFIG_GRKERNSEC_SOCKET_CLIENT + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine, but will be + able to run servers. If this option is enabled, all users in the group + you specify will have to use passive mode when initiating ftp transfers + from the shell on your machine. If the sysctl option is enabled, a + sysctl option with name "socket_client" is created. + +Group for disabled client socket access +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_client_gid" is created. + +Deny all server socket access +CONFIG_GRKERNSEC_SOCKET_SERVER + If you say Y here, you will be able to choose a GID of whose users will + be unable to run server applications from your machine. If the sysctl + option is enabled, a sysctl option with name "socket_server" is created. + +Group for disabled server socket access +CONFIG_GRKERNSEC_SOCKET_SERVER_GID + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_server_gid" is created. + +Sysctl support +CONFIG_GRKERNSEC_SYSCTL + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your + kernel. You can echo values to files in /proc/sys/kernel/grsecurity + to enable (1) or disable (0) various features. All the sysctl entries + are mutable until the "grsec_lock" entry is set to a non-zero value. + All features are disabled by default. Please note that this option could + reduce the effectiveness of the added security of this patch if an ACL + system is not put in place. Your init scripts should be read-only, and + root should not have access to adding modules or performing raw i/o + operations. All options should be set at startup, and the grsec_lock + entry should be set to a non-zero value after all the options are set. + *THIS IS EXTREMELY IMPORTANT* + +Number of burst messages +CONFIG_GRKERNSEC_FLOODBURST + This option allows you to choose the maximum number of messages allowed + within the flood time interval you chose in a separate option. The + default should be suitable for most people, however if you find that + many of your logs are being interpreted as flooding, you may want to + raise this value. + +Seconds in between log messages +CONFIG_GRKERNSEC_FLOODTIME + This option allows you to enforce the number of seconds between + grsecurity log messages. The default should be suitable for most + people, however, if you choose to change it, choose a value small enough + to allow informative logs to be produced, but large enough to + prevent flooding. + +Hide kernel processes +CONFIG_GRKERNSEC_ACL_HIDEKERN + If you say Y here, when the ACL system is enabled via gradm -E, + an additional ACL will be passed to the kernel that hides all kernel + processes. These processes will only be viewable by the authenticated + admin, or processes that have viewing access set. + +Maximum tries before password lockout +CONFIG_GRKERNSEC_ACL_MAXTRIES + This option enforces the maximum number of times a user can attempt + to authorize themselves with the grsecurity ACL system before being + denied the ability to attempt authorization again for a specified time. + The lower the number, the harder it will be to brute-force a password. + +Time to wait after max password tries, in seconds +CONFIG_GRKERNSEC_ACL_TIMEOUT + This option specifies the time the user must wait after attempting to + authorize to the ACL system with the maximum number of invalid + passwords. The higher the number, the harder it will be to brute-force + a password. + Disable data cache CONFIG_DCACHE_DISABLE This option allows you to run the kernel with data cache disabled. diff -urN linux-2.4.20/Makefile linux-2.4.20/Makefile --- linux-2.4.20/Makefile 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/Makefile 2003-02-12 23:36:37.000000000 -0500 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 20 -EXTRAVERSION = +EXTRAVERSION = -grsec KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) @@ -123,9 +123,10 @@ CORE_FILES =kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o NETWORKS =net/network.o +GRSECURITY =grsecurity/grsec.o LIBS =$(TOPDIR)/lib/lib.a -SUBDIRS =kernel drivers mm fs net ipc lib +SUBDIRS =kernel drivers mm fs net ipc lib grsecurity DRIVERS-n := DRIVERS-y := @@ -265,7 +266,7 @@ export CPPFLAGS CFLAGS CFLAGS_KERNEL AFLAGS AFLAGS_KERNEL -export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS +export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS GRSECURITY .S.s: $(CPP) $(AFLAGS) $(AFLAGS_KERNEL) -traditional -o $*.s $< @@ -284,6 +285,7 @@ $(CORE_FILES) \ $(DRIVERS) \ $(NETWORKS) \ + $(GRSECURITY) \ $(LIBS) \ --end-group \ -o vmlinux diff -urN linux-2.4.20/arch/alpha/config.in linux-2.4.20/arch/alpha/config.in --- linux-2.4.20/arch/alpha/config.in 2002-11-28 18:53:08.000000000 -0500 +++ linux-2.4.20/arch/alpha/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -425,3 +425,12 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux-2.4.20/arch/alpha/kernel/osf_sys.c linux-2.4.20/arch/alpha/kernel/osf_sys.c --- linux-2.4.20/arch/alpha/kernel/osf_sys.c 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/alpha/kernel/osf_sys.c 2003-02-12 23:36:37.000000000 -0500 @@ -240,6 +240,13 @@ if (!file) goto out; } + + if(gr_handle_mmap(file, prot)) { + fput(file); + ret = -EACCES; + goto out; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); down_write(¤t->mm->mmap_sem); ret = do_mmap(file, addr, len, prot, flags, off); diff -urN linux-2.4.20/arch/alpha/kernel/ptrace.c linux-2.4.20/arch/alpha/kernel/ptrace.c --- linux-2.4.20/arch/alpha/kernel/ptrace.c 2001-09-18 20:03:51.000000000 -0400 +++ linux-2.4.20/arch/alpha/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -273,6 +274,10 @@ read_unlock(&tasklist_lock); if (!child) goto out_notsk; + + if(gr_handle_ptrace(child, request)) + goto out; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out; diff -urN linux-2.4.20/arch/arm/config.in linux-2.4.20/arch/arm/config.in --- linux-2.4.20/arch/arm/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/arm/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -657,3 +657,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/cris/config.in linux-2.4.20/arch/cris/config.in --- linux-2.4.20/arch/cris/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/cris/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -258,3 +258,12 @@ source lib/Config.in endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux-2.4.20/arch/i386/config.in linux-2.4.20/arch/i386/config.in --- linux-2.4.20/arch/i386/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/i386/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -456,3 +456,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/i386/kernel/apm.c linux-2.4.20/arch/i386/kernel/apm.c --- linux-2.4.20/arch/i386/kernel/apm.c 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/i386/kernel/apm.c 2003-02-12 23:36:37.000000000 -0500 @@ -1923,6 +1923,12 @@ __va((unsigned long)0x40 << 4)); _set_limit((char *)&gdt[APM_40 >> 3], 4095 - (0x40 << 4)); +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + set_base(gdt2[APM_40 >> 3], + __va((unsigned long)0x40 << 4)); + _set_limit((char *)&gdt2[APM_40 >> 3], 4095 - (0x40 << 4)); +#endif + apm_bios_entry.offset = apm_info.bios.offset; apm_bios_entry.segment = APM_CS; set_base(gdt[APM_CS >> 3], @@ -1931,6 +1937,16 @@ __va((unsigned long)apm_info.bios.cseg_16 << 4)); set_base(gdt[APM_DS >> 3], __va((unsigned long)apm_info.bios.dseg << 4)); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + set_base(gdt2[APM_CS >> 3], + __va((unsigned long)apm_info.bios.cseg << 4)); + set_base(gdt2[APM_CS_16 >> 3], + __va((unsigned long)apm_info.bios.cseg_16 << 4)); + set_base(gdt2[APM_DS >> 3], + __va((unsigned long)apm_info.bios.dseg << 4)); +#endif + #ifndef APM_RELAX_SEGMENTS if (apm_info.bios.version == 0x100) { #endif @@ -1940,6 +1956,13 @@ _set_limit((char *)&gdt[APM_CS_16 >> 3], 64 * 1024 - 1); /* For the DEC Hinote Ultra CT475 (and others?) */ _set_limit((char *)&gdt[APM_DS >> 3], 64 * 1024 - 1); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + _set_limit((char *)&gdt2[APM_CS >> 3], 64 * 1024 - 1); + _set_limit((char *)&gdt2[APM_CS_16 >> 3], 64 * 1024 - 1); + _set_limit((char *)&gdt2[APM_DS >> 3], 64 * 1024 - 1); +#endif + #ifndef APM_RELAX_SEGMENTS } else { _set_limit((char *)&gdt[APM_CS >> 3], @@ -1948,6 +1971,16 @@ (apm_info.bios.cseg_16_len - 1) & 0xffff); _set_limit((char *)&gdt[APM_DS >> 3], (apm_info.bios.dseg_len - 1) & 0xffff); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + _set_limit((char *)&gdt2[APM_CS >> 3], + (apm_info.bios.cseg_len - 1) & 0xffff); + _set_limit((char *)&gdt2[APM_CS_16 >> 3], + (apm_info.bios.cseg_16_len - 1) & 0xffff); + _set_limit((char *)&gdt2[APM_DS >> 3], + (apm_info.bios.dseg_len - 1) & 0xffff); +#endif + } #endif diff -urN linux-2.4.20/arch/i386/kernel/entry.S linux-2.4.20/arch/i386/kernel/entry.S --- linux-2.4.20/arch/i386/kernel/entry.S 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/i386/kernel/entry.S 2003-02-12 23:36:37.000000000 -0500 @@ -45,6 +45,7 @@ #include #include #include +#include EBX = 0x00 ECX = 0x04 @@ -209,6 +210,17 @@ jae badsys call *SYMBOL_NAME(sys_call_table)(,%eax,4) movl %eax,EAX(%esp) # save the return value + +#ifdef CONFIG_GRKERNSEC_PAX_RANDKSTACK + cli # need_resched and signals atomic test + cmpl $0,need_resched(%ebx) + jne reschedule + cmpl $0,sigpending(%ebx) + jne signal_return + call SYMBOL_NAME(pax_randomize_kstack) + jmp restore_all +#endif + ENTRY(ret_from_sys_call) cli # need_resched and signals atomic test cmpl $0,need_resched(%ebx) @@ -389,8 +401,56 @@ jmp error_code ENTRY(page_fault) +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + ALIGN + pushl $ SYMBOL_NAME(pax_do_page_fault) +#else pushl $ SYMBOL_NAME(do_page_fault) +#endif + +#ifndef CONFIG_GRKERNSEC_PAX_EMUTRAMP jmp error_code +#else + pushl %ds + pushl %eax + xorl %eax,%eax + pushl %ebp + pushl %edi + pushl %esi + pushl %edx + decl %eax # eax = -1 + pushl %ecx + pushl %ebx + cld + movl %es,%ecx + movl ORIG_EAX(%esp), %esi # get the error code + movl ES(%esp), %edi # get the function address + movl %eax, ORIG_EAX(%esp) + movl %ecx, ES(%esp) + movl %esp,%edx + pushl %esi # push the error code + pushl %edx # push the pt_regs pointer + movl $(__KERNEL_DS),%edx + movl %edx,%ds + movl %edx,%es + GET_CURRENT(%ebx) + call *%edi + addl $8,%esp + decl %eax + jnz ret_from_exception + + popl %ebx + popl %ecx + popl %edx + popl %esi + popl %edi + popl %ebp + popl %eax + popl %ds + popl %es + addl $4,%esp + jmp system_call +#endif ENTRY(machine_check) pushl $0 diff -urN linux-2.4.20/arch/i386/kernel/head.S linux-2.4.20/arch/i386/kernel/head.S --- linux-2.4.20/arch/i386/kernel/head.S 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/head.S 2003-02-12 23:36:37.000000000 -0500 @@ -372,6 +372,15 @@ SYMBOL_NAME(gdt): .long SYMBOL_NAME(gdt_table) +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +.globl SYMBOL_NAME(gdt2) + .word 0 +gdt_descr2: + .word GDT_ENTRIES*8-1 +SYMBOL_NAME(gdt2): + .long SYMBOL_NAME(gdt_table2) +#endif + /* * This is initialized to create an identity-mapping at 0-8M (for bootup * purposes) and another mapping of the 0-8M area at virtual address @@ -435,6 +444,26 @@ .quad 0x00cf92000000ffff /* 0x18 kernel 4GB data at 0x00000000 */ .quad 0x00cffa000000ffff /* 0x23 user 4GB code at 0x00000000 */ .quad 0x00cff2000000ffff /* 0x2b user 4GB data at 0x00000000 */ + .quad 0x0000000000000000 /* not used */ + .quad 0x0000000000000000 /* not used */ + /* + * The APM segments have byte granularity and their bases + * and limits are set at run time. + */ + .quad 0x0040920000000000 /* 0x40 APM set up for bad BIOS's */ + .quad 0x00409a0000000000 /* 0x48 APM CS code */ + .quad 0x00009a0000000000 /* 0x50 APM CS 16 code (16 bit) */ + .quad 0x0040920000000000 /* 0x58 APM DS data */ + .fill NR_CPUS*4,8,0 /* space for TSS's and LDT's */ + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +ENTRY(gdt_table2) + .quad 0x0000000000000000 /* NULL descriptor */ + .quad 0x0000000000000000 /* not used */ + .quad 0x00cf9a000000ffff /* 0x10 kernel 4GB code at 0x00000000 */ + .quad 0x00cf92000000ffff /* 0x18 kernel 4GB data at 0x00000000 */ + .quad 0x60c5fa000000ffff /* 0x23 user 1.5GB code at 0x60000000 */ + .quad 0x00c5f2000000ffff /* 0x2b user 1.5GB data at 0x00000000 */ .quad 0x0000000000000000 /* not used */ .quad 0x0000000000000000 /* not used */ /* @@ -446,3 +475,4 @@ .quad 0x00009a0000000000 /* 0x50 APM CS 16 code (16 bit) */ .quad 0x0040920000000000 /* 0x58 APM DS data */ .fill NR_CPUS*4,8,0 /* space for TSS's and LDT's */ +#endif diff -urN linux-2.4.20/arch/i386/kernel/i386_ksyms.c linux-2.4.20/arch/i386/kernel/i386_ksyms.c --- linux-2.4.20/arch/i386/kernel/i386_ksyms.c 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/i386_ksyms.c 2003-02-12 23:36:37.000000000 -0500 @@ -73,6 +73,9 @@ EXPORT_SYMBOL(get_cmos_time); EXPORT_SYMBOL(apm_info); EXPORT_SYMBOL(gdt); +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +EXPORT_SYMBOL(gdt2); +#endif EXPORT_SYMBOL(empty_zero_page); #ifdef CONFIG_DEBUG_IOVIRT diff -urN linux-2.4.20/arch/i386/kernel/ioport.c linux-2.4.20/arch/i386/kernel/ioport.c --- linux-2.4.20/arch/i386/kernel/ioport.c 1999-07-19 18:22:48.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/ioport.c 2003-02-12 23:36:37.000000000 -0500 @@ -14,6 +14,7 @@ #include #include #include +#include /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */ static void set_bitmap(unsigned long *bitmap, short base, short extent, int new_value) @@ -59,8 +60,16 @@ if ((from + num <= from) || (from + num > IO_BITMAP_SIZE*32)) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_IO + if (turn_on) { + gr_handle_ioperm(); +#else if (turn_on && !capable(CAP_SYS_RAWIO)) +#endif return -EPERM; +#ifdef CONFIG_GRKERNSEC_IO + } +#endif /* * If it's the first ioperm() call in this thread's lifetime, set the * IO bitmap up. ioperm() is much less timing critical than clone(), @@ -108,8 +117,13 @@ return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { +#ifdef CONFIG_GRKERNSEC_IO + gr_handle_iopl(); + return -EPERM; +#else if (!capable(CAP_SYS_RAWIO)) return -EPERM; +#endif } regs->eflags = (regs->eflags & 0xffffcfff) | (level << 12); return 0; diff -urN linux-2.4.20/arch/i386/kernel/ldt.c linux-2.4.20/arch/i386/kernel/ldt.c --- linux-2.4.20/arch/i386/kernel/ldt.c 2001-10-17 17:46:29.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/ldt.c 2003-02-12 23:36:37.000000000 -0500 @@ -122,6 +122,13 @@ } } +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if (current->flags & PF_PAX_SEGMEXEC && (ldt_info.contents & 2)) { + error = -EINVAL; + goto out_unlock; + } +#endif + entry_1 = ((ldt_info.base_addr & 0x0000ffff) << 16) | (ldt_info.limit & 0x0ffff); entry_2 = (ldt_info.base_addr & 0xff000000) | diff -urN linux-2.4.20/arch/i386/kernel/process.c linux-2.4.20/arch/i386/kernel/process.c --- linux-2.4.20/arch/i386/kernel/process.c 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/process.c 2003-02-12 23:36:37.000000000 -0500 @@ -584,7 +584,11 @@ { struct pt_regs * childregs; +#ifdef CONFIG_GRKERNSEC_PAX_RANDKSTACK + childregs = ((struct pt_regs *) (THREAD_SIZE + (unsigned long) p - sizeof(unsigned long))) - 1; +#else childregs = ((struct pt_regs *) (THREAD_SIZE + (unsigned long) p)) - 1; +#endif struct_cpy(childregs, regs); childregs->eax = 0; childregs->esp = esp; @@ -645,6 +649,16 @@ dump->u_fpvalid = dump_fpu (regs, &dump->i387); } +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +void pax_reload_gdt(struct task_struct * tsk) +{ + if (tsk->flags & PF_PAX_SEGMEXEC) + __asm__ __volatile__("lgdt %0": "=m" (gdt_descr2)); + else + __asm__ __volatile__("lgdt %0": "=m" (gdt_descr)); +} +#endif + /* * This special macro can be used to load a debugging register */ @@ -684,6 +698,10 @@ unlazy_fpu(prev_p); +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + pax_reload_gdt(next_p); +#endif + /* * Reload esp0, LDT and the page table pointer: */ @@ -824,3 +842,25 @@ } #undef last_sched #undef first_sched + +#ifdef CONFIG_GRKERNSEC_PAX_RANDKSTACK +asmlinkage void pax_randomize_kstack(void) +{ + struct tss_struct *tss = init_tss + smp_processor_id(); + unsigned long time; + + rdtscl(time); + + /* P4 seems to return a 0 LSB, ignore it */ +#ifdef CONFIG_MPENTIUM4 + time &= 0x3EUL; + time <<= 1; +#else + time &= 0x1FUL; + time <<= 2; +#endif + + current->thread.esp0 ^= time; + tss->esp0 = current->thread.esp0; +} +#endif diff -urN linux-2.4.20/arch/i386/kernel/ptrace.c linux-2.4.20/arch/i386/kernel/ptrace.c --- linux-2.4.20/arch/i386/kernel/ptrace.c 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/i386/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -177,6 +178,9 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; + if(gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; @@ -256,6 +260,17 @@ if(addr < (long) &dummy->u_debugreg[4] && ((unsigned long) data) >= TASK_SIZE-3) break; +#ifdef CONFIG_GRKERNSEC + if(addr >= (long) &dummy->u_debugreg[0] && + addr <= (long) &dummy->u_debugreg[3]){ + long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2; + long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3; + long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3; + if((type & 1) && (data & align)) + break; + } +#endif + if(addr == (long) &dummy->u_debugreg[7]) { data &= ~DR_CONTROL_RESERVED; for(i=0; i<4; i++) diff -urN linux-2.4.20/arch/i386/kernel/sys_i386.c linux-2.4.20/arch/i386/kernel/sys_i386.c --- linux-2.4.20/arch/i386/kernel/sys_i386.c 2001-03-19 15:35:09.000000000 -0500 +++ linux-2.4.20/arch/i386/kernel/sys_i386.c 2003-02-12 23:36:37.000000000 -0500 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -48,6 +49,11 @@ int error = -EBADF; struct file * file = NULL; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (flags & MAP_MIRROR) + return -EINVAL; +#endif + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); if (!(flags & MAP_ANONYMOUS)) { file = fget(fd); @@ -55,8 +61,14 @@ goto out; } + if(gr_handle_mmap(file, prot)) { + fput(file); + error = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); - error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); + error = do_mmap(file, addr, len, prot, flags, pgoff << PAGE_SHIFT); up_write(¤t->mm->mmap_sem); if (file) diff -urN linux-2.4.20/arch/i386/kernel/traps.c linux-2.4.20/arch/i386/kernel/traps.c --- linux-2.4.20/arch/i386/kernel/traps.c 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/i386/kernel/traps.c 2003-02-12 23:36:37.000000000 -0500 @@ -855,11 +855,21 @@ void set_tss_desc(unsigned int n, void *addr) { _set_tssldt_desc(gdt_table+__TSS(n), (int)addr, 235, 0x89); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + _set_tssldt_desc(gdt_table2+__TSS(n), (int)addr, 235, 0x89); +#endif + } void set_ldt_desc(unsigned int n, void *addr, unsigned int size) { _set_tssldt_desc(gdt_table+__LDT(n), (int)addr, ((size << 3)-1), 0x82); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + _set_tssldt_desc(gdt_table2+__LDT(n), (int)addr, ((size << 3)-1), 0x82); +#endif + } #ifdef CONFIG_X86_VISWS_APIC diff -urN linux-2.4.20/arch/i386/mm/fault.c linux-2.4.20/arch/i386/mm/fault.c --- linux-2.4.20/arch/i386/mm/fault.c 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/i386/mm/fault.c 2003-02-12 23:36:37.000000000 -0500 @@ -4,6 +4,7 @@ * Copyright (C) 1995 Linus Torvalds */ +#include #include #include #include @@ -19,6 +20,8 @@ #include #include #include /* For unblank_screen() */ +#include +#include #include #include @@ -127,6 +130,11 @@ asmlinkage void do_invalid_op(struct pt_regs *, unsigned long); extern unsigned long idt; +#if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) +static void pax_report_fault(struct pt_regs *regs); +static int pax_handle_read_fault(struct pt_regs *regs); +#endif + /* * This routine handles page faults. It determines the address, * and the problem, and then passes it off to one of the appropriate @@ -137,23 +145,31 @@ * bit 1 == 0 means read, 1 means write * bit 2 == 0 means kernel, 1 means user-mode */ -asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code) +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC +static int do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address) +#else +asmlinkage int do_page_fault(struct pt_regs *regs, unsigned long error_code) +#endif { struct task_struct *tsk; struct mm_struct *mm; struct vm_area_struct * vma; +#ifndef CONFIG_GRKERNSEC_PAX_PAGEEXEC unsigned long address; +#endif unsigned long page; unsigned long fixup; int write; siginfo_t info; +#ifndef CONFIG_GRKERNSEC_PAX_PAGEEXEC /* get the address */ __asm__("movl %%cr2,%0":"=r" (address)); /* It's safe to allow irq's after cr2 has been saved */ - if (regs->eflags & X86_EFLAGS_IF) + if (likely(regs->eflags & X86_EFLAGS_IF)) local_irq_enable(); +#endif tsk = current; @@ -258,7 +274,7 @@ tsk->thread.screen_bitmap |= 1 << bit; } up_read(&mm->mmap_sem); - return; + return 0; /* * Something tried to access memory that isn't in our memory map.. @@ -269,6 +285,39 @@ /* User mode accesses just cause a SIGSEGV */ if (error_code & 4) { +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if (current->flags & PF_PAX_SEGMEXEC) { + +#if defined(CONFIG_GRKERNSEC_PAX_EMUTRAMP) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if ((error_code == 4) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) { + switch (pax_handle_read_fault(regs)) { + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + case 5: + return 0; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + case 4: + return 0; + case 3: + case 2: + return 1; +#endif + + case 1: + default: + } + } +#endif + + if (address >= SEGMEXEC_TASK_SIZE) { + pax_report_fault(regs); + do_exit(SIGKILL); + } + } +#endif + tsk->thread.cr2 = address; tsk->thread.error_code = error_code; tsk->thread.trap_no = 14; @@ -277,7 +326,7 @@ /* info.si_code has been set above */ info.si_addr = (void *)address; force_sig_info(SIGSEGV, &info, tsk); - return; + return 0; } /* @@ -290,7 +339,7 @@ if (nr == 6) { do_invalid_op(regs, 0); - return; + return 0; } } @@ -298,7 +347,7 @@ /* Are we prepared to handle this kernel fault? */ if ((fixup = search_exception_table(regs->eip)) != 0) { regs->eip = fixup; - return; + return 0; } /* @@ -362,7 +411,7 @@ /* Kernel mode? Handle exceptions or die */ if (!(error_code & 4)) goto no_context; - return; + return 0; vmalloc_fault: { @@ -395,6 +444,365 @@ pte_k = pte_offset(pmd_k, address); if (!pte_present(*pte_k)) goto no_context; - return; + return 0; + } +} +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC +/* PaX: called with the page_table_lock spinlock held */ +static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address) +{ + pgd_t *pgd; + pmd_t *pmd; + + pgd = pgd_offset(mm, address); + if (!pgd || !pgd_present(*pgd)) + return 0; + pmd = pmd_offset(pgd, address); + if (!pmd || !pmd_present(*pmd)) + return 0; + return pte_offset(pmd, address); +} +#endif + +/* + * PaX: decide what to do with offenders (regs->eip = fault address) + * + * returns 1 when task should be killed + * 2 when sigreturn trampoline was detected + * 3 when rt_sigreturn trampoline was detected + * 4 when gcc trampoline was detected + * 5 when legitimate ET_EXEC was detected + */ +#if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) +static int pax_handle_read_fault(struct pt_regs *regs) +{ +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + static const unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4}; +#endif + int err; + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + if (current->flags & PF_PAX_RANDEXEC) { + unsigned long esp_4; + if (regs->eip >= current->mm->start_code && + regs->eip < current->mm->end_code) + { + err = get_user(esp_4, (unsigned long*)(regs->esp-4UL)); + if (!err && esp_4 != regs->eip) { + regs->eip += current->mm->delta_exec; + return 5; + } + return 1; + } + } +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + +#ifndef CONFIG_GRKERNSEC_PAX_EMUSIGRT + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; +#endif + + { /* PaX: sigreturn emulation */ + unsigned char pop, mov; + unsigned short sys; + unsigned long nr; + + err = get_user(pop, (unsigned char *)(regs->eip)); + err |= get_user(mov, (unsigned char *)(regs->eip + 1)); + err |= get_user(nr, (unsigned long *)(regs->eip + 2)); + err |= get_user(sys, (unsigned short *)(regs->eip + 6)); + + if (!err) { + if (pop == 0x58 && + mov == 0xb8 && + nr == __NR_sigreturn && + sys == 0x80cd) + { + +#ifdef CONFIG_GRKERNSEC_PAX_EMUSIGRT + int sig; + struct k_sigaction *ka; + __sighandler_t handler; + + if (get_user(sig, (int *)regs->esp)) + return 1; + if (sig < 1 || sig > _NSIG || sig == SIGKILL || sig == SIGSTOP) + return 1; + ka = ¤t->sig->action[sig-1]; + handler = ka->sa.sa_handler; + if (handler == SIG_DFL || handler == SIG_IGN) { + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; + } else if (ka->sa.sa_flags & SA_SIGINFO) + return 1; +#endif + + regs->esp += 4; + regs->eax = nr; + regs->eip += 8; + return 2; + } + } + } + + { /* PaX: rt_sigreturn emulation */ + unsigned char mov; + unsigned short sys; + unsigned long nr; + + err = get_user(mov, (unsigned char *)(regs->eip)); + err |= get_user(nr, (unsigned long *)(regs->eip + 1)); + err |= get_user(sys, (unsigned short *)(regs->eip + 5)); + + if (!err) { + if (mov == 0xb8 && + nr == __NR_rt_sigreturn && + sys == 0x80cd) + { + +#ifdef CONFIG_GRKERNSEC_PAX_EMUSIGRT + int sig; + struct k_sigaction *ka; + __sighandler_t handler; + + if (get_user(sig, (int *)regs->esp)) + return 1; + if (sig < 1 || sig > _NSIG || sig == SIGKILL || sig == SIGSTOP) + return 1; + ka = ¤t->sig->action[sig-1]; + handler = ka->sa.sa_handler; + if (handler == SIG_DFL || handler == SIG_IGN) { + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; + } else if (ka->sa.sa_flags & SA_SIGINFO) + return 1; +#endif + + regs->eax = nr; + regs->eip += 7; + return 3; + } + } + } + +#ifdef CONFIG_GRKERNSEC_PAX_EMUSIGRT + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; +#endif + + { /* PaX: gcc trampoline emulation #1 */ + unsigned char mov1, mov2; + unsigned short jmp; + unsigned long addr1, addr2, ret; + + err = get_user(mov1, (unsigned char *)(regs->eip)); + err |= get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= get_user(mov2, (unsigned char *)(regs->eip + 5)); + err |= get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= get_user(jmp, (unsigned short *)(regs->eip + 10)); + err |= get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov1 & 0xF8) == 0xB8 && + (mov2 & 0xF8) == 0xB8 && + (mov1 & 0x07) != (mov2 & 0x07) && + (jmp & 0xF8FF) == 0xE0FF && + (mov2 & 0x07) == ((jmp>>8) & 0x07) && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1; + ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2; + regs->eip = addr2; + return 4; + } + } + } + } + + { /* PaX: gcc trampoline emulation #2 */ + unsigned char mov, jmp; + unsigned long addr1, addr2, ret; + + err = get_user(mov, (unsigned char *)(regs->eip)); + err |= get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= get_user(jmp, (unsigned char *)(regs->eip + 5)); + err |= get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov & 0xF8) == 0xB8 && + jmp == 0xE9 && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov & 0x07]] = addr1; + regs->eip += addr2 + 10; + return 4; + } + } + } } +#endif + + return 1; /* PaX in action */ } + +static void pax_report_fault(struct pt_regs *regs) +{ + struct task_struct *tsk = current; + struct mm_struct *mm = current->mm; + char* buffer = (char*)__get_free_page(GFP_ATOMIC); + char* path=NULL; + unsigned long i; + + if (buffer) { + struct vm_area_struct* vma; + + down_read(&mm->mmap_sem); + vma = mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { + break; + } + vma = vma->vm_next; + } + if (vma) + path = d_path(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt, buffer, PAGE_SIZE); + up_read(&mm->mmap_sem); + } + if (tsk->curr_ip) + printk(KERN_ERR "PAX: From %u.%u.%u.%u: terminating task: %.930s(%.16s):%d, uid/euid: %u/%u, " + "EIP: %08lX, ESP: %08lX\n", NIPQUAD(tsk->curr_ip), + path, tsk->comm, tsk->pid, tsk->uid, tsk->euid, + regs->eip, regs->esp); + else + printk(KERN_ERR "PAX: terminating task: %.930s(%.16s):%d, uid/euid: %u/%u, " + "EIP: %08lX, ESP: %08lX\n", path, tsk->comm, tsk->pid, + tsk->uid, tsk->euid, regs->eip, regs->esp); + + if (buffer) free_page((unsigned long)buffer); + printk(KERN_ERR "PAX: bytes at EIP: "); + for (i = 0; i < 20; i++) { + unsigned char c; + if (get_user(c, (unsigned char*)(regs->eip+i))) { + printk("."); + break; + } + printk("%02x ", c); + } + printk("\n"); + do_coredump(SIGKILL, regs); +} +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC +/* + * PaX: handle the extra page faults or pass it down to the original handler + * + * returns 0 when nothing special was detected + * 1 when sigreturn trampoline (syscall) has to be emulated + */ +asmlinkage int pax_do_page_fault(struct pt_regs *regs, unsigned long error_code) +{ + struct mm_struct *mm = current->mm; + unsigned long address; + pte_t *pte; + unsigned char pte_mask; + int ret; + + __asm__("movl %%cr2,%0":"=r" (address)); + + /* It's safe to allow irq's after cr2 has been saved */ + if (regs->eflags & X86_EFLAGS_IF) + local_irq_enable(); + + if (unlikely((error_code & 5) != 5 || + address >= TASK_SIZE || + !(current->flags & PF_PAX_PAGEEXEC))) + return do_page_fault(regs, error_code, address); + + /* PaX: it's our fault, let's handle it if we can */ + + /* PaX: take a look at read faults before acquiring any locks */ + if (unlikely((error_code == 5) && (regs->eip == address))) { + /* instruction fetch attempt from a protected page in user mode */ + ret = pax_handle_read_fault(regs); + switch (ret) { +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + case 5: + return 0; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + + case 4: + return 0; + case 3: + case 2: return 1; +#endif + case 1: + default: + pax_report_fault(regs); + do_exit(SIGKILL); + } + } + + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1)); + + spin_lock(&mm->page_table_lock); + pte = pax_get_pte(mm, address); + if (unlikely(!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte))) { + spin_unlock(&mm->page_table_lock); + do_page_fault(regs, error_code, address); + return 0; + } + + if (unlikely((error_code == 7) && !pte_write(*pte))) { + /* write attempt to a protected page in user mode */ + spin_unlock(&mm->page_table_lock); + do_page_fault(regs, error_code, address); + return 0; + } + + /* + * PaX: fill DTLB with user rights and retry + */ + __asm__ __volatile__ ( + "orb %2,%1\n" +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC) +/* + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any* + * page fault when examined during a TLB load attempt. this is true not only + * for PTEs holding a non-present entry but also present entries that will + * raise a page fault (such as those set up by PaX, or the copy-on-write + * mechanism). in effect it means that we do *not* need to flush the TLBs + * for our target pages since their PTEs are simply not in the TLBs at all. + * the best thing in omitting it is that we gain around 15-20% speed in + * fast path of the page fault handler and can get rid of tracing since we + * can no longer flush unintended entries. + */ + + "invlpg %0\n" +#endif + + "testb $0,%0\n" + "xorb %3,%1\n" + : + : "m" (*(char*)address), "m" (*(char*)pte) , "q" (pte_mask) , "i" (_PAGE_USER) + : "memory", "cc"); + spin_unlock(&mm->page_table_lock); + return 0; +} +#endif diff -urN linux-2.4.20/arch/ia64/config.in linux-2.4.20/arch/ia64/config.in --- linux-2.4.20/arch/ia64/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/ia64/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -293,3 +293,12 @@ fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux-2.4.20/arch/ia64/kernel/ptrace.c linux-2.4.20/arch/ia64/kernel/ptrace.c --- linux-2.4.20/arch/ia64/kernel/ptrace.c 2002-08-02 20:39:42.000000000 -0400 +++ linux-2.4.20/arch/ia64/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -15,6 +15,7 @@ #include #include #include +#include #include #include @@ -1118,6 +1119,9 @@ if (pid == 1) /* no messing around with init! */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -urN linux-2.4.20/arch/ia64/kernel/sys_ia64.c linux-2.4.20/arch/ia64/kernel/sys_ia64.c --- linux-2.4.20/arch/ia64/kernel/sys_ia64.c 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/ia64/kernel/sys_ia64.c 2003-02-12 23:36:37.000000000 -0500 @@ -15,6 +15,7 @@ #include #include #include +#include #include #include @@ -212,6 +213,11 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + addr = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); up_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/arch/m68k/config.in linux-2.4.20/arch/m68k/config.in --- linux-2.4.20/arch/m68k/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/m68k/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -558,3 +558,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/mips/config.in linux-2.4.20/arch/mips/config.in --- linux-2.4.20/arch/mips/config.in 2002-11-28 18:53:09.000000000 -0500 +++ linux-2.4.20/arch/mips/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -7,3 +7,11 @@ define_bool CONFIG_MIPS64 n source arch/mips/config-shared.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/mips64/config.in linux-2.4.20/arch/mips64/config.in --- linux-2.4.20/arch/mips64/config.in 2002-11-28 18:53:10.000000000 -0500 +++ linux-2.4.20/arch/mips64/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -7,3 +7,11 @@ define_bool CONFIG_MIPS64 y source arch/mips/config-shared.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/parisc/config.in linux-2.4.20/arch/parisc/config.in --- linux-2.4.20/arch/parisc/config.in 2002-11-28 18:53:10.000000000 -0500 +++ linux-2.4.20/arch/parisc/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -197,3 +197,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/parisc/kernel/ioctl32.c linux-2.4.20/arch/parisc/kernel/ioctl32.c --- linux-2.4.20/arch/parisc/kernel/ioctl32.c 2002-11-28 18:53:10.000000000 -0500 +++ linux-2.4.20/arch/parisc/kernel/ioctl32.c 2003-02-12 23:36:37.000000000 -0500 @@ -1434,7 +1434,11 @@ * To have permissions to do most of the vt ioctls, we either have * to be the owner of the tty, or super-user. */ +#ifdef CONFIG_GRKERNSEC + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) +#else if (current->tty == tty || suser()) +#endif return 1; return 0; } diff -urN linux-2.4.20/arch/parisc/kernel/ptrace.c linux-2.4.20/arch/parisc/kernel/ptrace.c --- linux-2.4.20/arch/parisc/kernel/ptrace.c 2002-11-28 18:53:10.000000000 -0500 +++ linux-2.4.20/arch/parisc/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -15,7 +15,7 @@ #include #include #include - +#include #include #include #include @@ -119,6 +119,9 @@ if (pid == 1) /* no messing around with init! */ goto out_tsk; + if (gr_handle_ptrace(child, ptrace)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -urN linux-2.4.20/arch/parisc/kernel/sys_parisc.c linux-2.4.20/arch/parisc/kernel/sys_parisc.c --- linux-2.4.20/arch/parisc/kernel/sys_parisc.c 2002-11-28 18:53:10.000000000 -0500 +++ linux-2.4.20/arch/parisc/kernel/sys_parisc.c 2003-02-12 23:36:37.000000000 -0500 @@ -12,6 +12,7 @@ #include #include #include +#include int sys_pipe(int *fildes) { @@ -110,6 +111,11 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + fput(file); + return -EACCES; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); down_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/arch/ppc/config.in linux-2.4.20/arch/ppc/config.in --- linux-2.4.20/arch/ppc/config.in 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/ppc/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -425,3 +425,12 @@ fi fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux-2.4.20/arch/ppc/kernel/ptrace.c linux-2.4.20/arch/ppc/kernel/ptrace.c --- linux-2.4.20/arch/ppc/kernel/ptrace.c 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/ppc/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -185,6 +186,9 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; + if (gr_handle_ptrace(child, request)) + goto out_tsk; + if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; diff -urN linux-2.4.20/arch/ppc/kernel/syscalls.c linux-2.4.20/arch/ppc/kernel/syscalls.c --- linux-2.4.20/arch/ppc/kernel/syscalls.c 2002-08-02 20:39:43.000000000 -0400 +++ linux-2.4.20/arch/ppc/kernel/syscalls.c 2003-02-12 23:36:37.000000000 -0500 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -202,6 +203,12 @@ goto out; } + if (gr_handle_mmap(file, prot)) { + fput(file); + ret = -EACCES; + goto out; + } + down_write(¤t->mm->mmap_sem); ret = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); up_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/arch/ppc64/kernel/ioctl32.c linux-2.4.20/arch/ppc64/kernel/ioctl32.c --- linux-2.4.20/arch/ppc64/kernel/ioctl32.c 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/ppc64/kernel/ioctl32.c 2003-02-12 23:36:37.000000000 -0500 @@ -1761,7 +1761,11 @@ * To have permissions to do most of the vt ioctls, we either have * to be the owner of the tty, or super-user. */ +#ifdef CONFIG_GRKERNSEC + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) +#else if (current->tty == tty || suser()) +#endif return 1; return 0; } diff -urN linux-2.4.20/arch/s390/config.in linux-2.4.20/arch/s390/config.in --- linux-2.4.20/arch/s390/config.in 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/s390/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -76,3 +76,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/s390x/config.in linux-2.4.20/arch/s390x/config.in --- linux-2.4.20/arch/s390x/config.in 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/s390x/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -80,3 +80,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/sh/config.in linux-2.4.20/arch/sh/config.in --- linux-2.4.20/arch/sh/config.in 2002-11-28 18:53:11.000000000 -0500 +++ linux-2.4.20/arch/sh/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -388,3 +388,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/sparc/config.in linux-2.4.20/arch/sparc/config.in --- linux-2.4.20/arch/sparc/config.in 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/sparc/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -268,3 +268,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/sparc/kernel/ptrace.c linux-2.4.20/arch/sparc/kernel/ptrace.c --- linux-2.4.20/arch/sparc/kernel/ptrace.c 2002-08-02 20:39:43.000000000 -0400 +++ linux-2.4.20/arch/sparc/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -310,6 +311,9 @@ goto out; } + if(gr_handle_ptrace(child, request)) + goto out_tsk; + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { if (ptrace_attach(child)) { diff -urN linux-2.4.20/arch/sparc/kernel/sys_sparc.c linux-2.4.20/arch/sparc/kernel/sys_sparc.c --- linux-2.4.20/arch/sparc/kernel/sys_sparc.c 2001-04-13 23:15:55.000000000 -0400 +++ linux-2.4.20/arch/sparc/kernel/sys_sparc.c 2003-02-12 23:36:37.000000000 -0500 @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -240,6 +241,12 @@ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE) goto out_putf; + if (gr_handle_mmap(file, prot)) { + fput(file); + retval = -EACCES; + goto out; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); down_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/arch/sparc64/config.in linux-2.4.20/arch/sparc64/config.in --- linux-2.4.20/arch/sparc64/config.in 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/sparc64/config.in 2003-02-12 23:36:37.000000000 -0500 @@ -310,3 +310,11 @@ endmenu source lib/Config.in + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu diff -urN linux-2.4.20/arch/sparc64/kernel/ioctl32.c linux-2.4.20/arch/sparc64/kernel/ioctl32.c --- linux-2.4.20/arch/sparc64/kernel/ioctl32.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/sparc64/kernel/ioctl32.c 2003-02-12 23:36:37.000000000 -0500 @@ -2133,7 +2133,11 @@ * To have permissions to do most of the vt ioctls, we either have * to be the owner of the tty, or super-user. */ +#ifdef CONFIG_GRKERNSEC + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) +#else if (current->tty == tty || suser()) +#endif return 1; return 0; } diff -urN linux-2.4.20/arch/sparc64/kernel/ptrace.c linux-2.4.20/arch/sparc64/kernel/ptrace.c --- linux-2.4.20/arch/sparc64/kernel/ptrace.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/sparc64/kernel/ptrace.c 2003-02-12 23:36:37.000000000 -0500 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -161,6 +162,11 @@ goto out; } + if (gr_handle_ptrace(child, (long)request)) { + pt_error_return(regs, EPERM); + goto out; + } + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH) || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) { if (ptrace_attach(child)) { diff -urN linux-2.4.20/arch/sparc64/kernel/sys_sparc.c linux-2.4.20/arch/sparc64/kernel/sys_sparc.c --- linux-2.4.20/arch/sparc64/kernel/sys_sparc.c 2002-08-02 20:39:43.000000000 -0400 +++ linux-2.4.20/arch/sparc64/kernel/sys_sparc.c 2003-02-12 23:36:37.000000000 -0500 @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -76,6 +77,11 @@ addr = PAGE_ALIGN(addr); task_size -= len; +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (current->flags & PF_PAX_RANDMMAP) + addr += current->mm->delta_mmap; +#endif + for (vmm = find_vma(current->mm, addr); ; vmm = vmm->vm_next) { /* At this point: (!vmm || addr < vmm->vm_end). */ if (addr < PAGE_OFFSET && -PAGE_OFFSET - len < addr) { @@ -285,6 +291,12 @@ if (!file) goto out; } + + if (gr_handle_mmap(file, prot)) { + retval = -EACCES; + goto out_putf; + } + flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); len = PAGE_ALIGN(len); retval = -EINVAL; diff -urN linux-2.4.20/arch/sparc64/kernel/sys_sparc32.c linux-2.4.20/arch/sparc64/kernel/sys_sparc32.c --- linux-2.4.20/arch/sparc64/kernel/sys_sparc32.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/sparc64/kernel/sys_sparc32.c 2003-02-12 23:36:37.000000000 -0500 @@ -50,6 +50,8 @@ #include #include #include +#include +#include #include #include @@ -3111,6 +3113,15 @@ int i; bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); + +#ifdef CONFIG_GRKERNSEC_PAX_RANDUSTACK + { + unsigned short delta; + get_random_bytes(&delta, sizeof(delta)); + bprm.p -= (delta & ~(sizeof(void *)-1)) & ~PAGE_MASK; + } +#endif + memset(bprm.page, 0, MAX_ARG_PAGES * sizeof(bprm.page[0])); file = open_exec(filename); @@ -3119,6 +3130,20 @@ if (IS_ERR(file)) return retval; + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes)); + + if (gr_handle_nproc()) { + allow_write_access(file); + fput(file); + return -EAGAIN; + } + + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) { + allow_write_access(file); + fput(file); + return -EACCES; + } + bprm.file = file; bprm.filename = filename; bprm.sh_bang = 0; @@ -3139,11 +3164,26 @@ if (retval < 0) goto out; + if(!gr_tpe_allow(file)) { + retval = -EACCES; + goto out; + } + + if (gr_check_crash_exec(file)) { + retval = -EACCES; + goto out; + } + retval = copy_strings_kernel(1, &bprm.filename, &bprm); if (retval < 0) goto out; bprm.exec = bprm.p; + + gr_set_proc_label(file->f_dentry, file->f_vfsmnt); + + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt); + retval = copy_strings32(bprm.envc, envp, &bprm); if (retval < 0) goto out; diff -urN linux-2.4.20/arch/x86_64/ia32/ia32_ioctl.c linux-2.4.20/arch/x86_64/ia32/ia32_ioctl.c --- linux-2.4.20/arch/x86_64/ia32/ia32_ioctl.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/arch/x86_64/ia32/ia32_ioctl.c 2003-02-12 23:36:37.000000000 -0500 @@ -1660,7 +1660,11 @@ * To have permissions to do most of the vt ioctls, we either have * to be the owner of the tty, or super-user. */ +#ifdef CONFIG_GRKERNSEC + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) +#else if (current->tty == tty || suser()) +#endif return 1; return 0; } diff -urN linux-2.4.20/drivers/char/mem.c linux-2.4.20/drivers/char/mem.c --- linux-2.4.20/drivers/char/mem.c 2002-08-02 20:39:43.000000000 -0400 +++ linux-2.4.20/drivers/char/mem.c 2003-02-12 23:36:37.000000000 -0500 @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -114,6 +115,11 @@ unsigned long p = *ppos; unsigned long end_mem; +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_mem_write(); + return -EPERM; +#endif + end_mem = __pa(high_memory); if (p >= end_mem) return 0; @@ -186,6 +192,12 @@ { unsigned long offset = vma->vm_pgoff << PAGE_SHIFT; +#ifdef CONFIG_GRKERNSEC_KMEM + if (gr_handle_mem_mmap(offset, vma)) + return -EPERM; +#endif + + /* * Accessing memory above the top the kernel knows about or * through a file pointer that was marked O_SYNC will be @@ -285,6 +297,11 @@ ssize_t virtr = 0; char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_kmem_write(); + return -EPERM; +#endif + if (p < (unsigned long) high_memory) { wrote = count; if (count > (unsigned long) high_memory - p) @@ -401,7 +418,7 @@ count = size; zap_page_range(mm, addr, count); - zeromap_page_range(addr, count, PAGE_COPY); + zeromap_page_range(addr, count, vma->vm_page_prot); size -= count; buf += count; @@ -517,6 +534,15 @@ static int open_port(struct inode * inode, struct file * filp) { +#ifdef CONFIG_GRKERNSEC_KMEM + gr_handle_open_port(); + return -EPERM; +#endif + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; +} + +static int open_mem(struct inode * inode, struct file * filp) +{ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } @@ -525,7 +551,6 @@ #define full_lseek null_lseek #define write_zero write_null #define read_full read_zero -#define open_mem open_port #define open_kmem open_mem static struct file_operations mem_fops = { diff -urN linux-2.4.20/drivers/char/random.c linux-2.4.20/drivers/char/random.c --- linux-2.4.20/drivers/char/random.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/drivers/char/random.c 2003-02-12 23:36:37.000000000 -0500 @@ -260,9 +260,15 @@ /* * Configuration information */ +#ifdef CONFIG_GRKERNSEC_RANDNET +#define DEFAULT_POOL_SIZE 1024 +#define SECONDARY_POOL_SIZE 256 +#define BATCH_ENTROPY_SIZE 512 +#else #define DEFAULT_POOL_SIZE 512 #define SECONDARY_POOL_SIZE 128 #define BATCH_ENTROPY_SIZE 256 +#endif #define USE_SHA /* @@ -387,6 +393,7 @@ /* * Static global variables */ + static struct entropy_store *random_state; /* The default global store */ static struct entropy_store *sec_random_state; /* secondary store */ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait); diff -urN linux-2.4.20/drivers/char/tty_io.c linux-2.4.20/drivers/char/tty_io.c --- linux-2.4.20/drivers/char/tty_io.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/drivers/char/tty_io.c 2003-02-12 23:36:37.000000000 -0500 @@ -99,7 +99,7 @@ #include #include #include - +#include #include #ifdef CONFIG_VT @@ -1380,7 +1380,11 @@ retval = -ENODEV; filp->f_flags = saved_flags; +#ifdef CONFIG_GRKERNSEC + if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_TTY_CONFIG)) +#else if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !suser()) +#endif retval = -EBUSY; if (retval) { @@ -1482,7 +1486,11 @@ { char ch, mbz = 0; +#ifdef CONFIG_GRKERNSEC + if ((current->tty != tty) && !capable(CAP_SYS_TTY_CONFIG)) +#else if ((current->tty != tty) && !suser()) +#endif return -EPERM; if (get_user(ch, arg)) return -EFAULT; @@ -1520,7 +1528,11 @@ { if (inode->i_rdev == SYSCONS_DEV || inode->i_rdev == CONSOLE_DEV) { +#ifdef CONFIG_GRKERNSEC + if (!capable(CAP_SYS_TTY_CONFIG)) +#else if (!suser()) +#endif return -EPERM; redirect = NULL; return 0; @@ -1562,7 +1574,11 @@ * This tty is already the controlling * tty for another session group! */ +#ifdef CONFIG_GRKERNSEC + if ((arg == 1) && capable(CAP_SYS_ADMIN)) { +#else if ((arg == 1) && suser()) { +#endif /* * Steal it away */ diff -urN linux-2.4.20/drivers/char/vt.c linux-2.4.20/drivers/char/vt.c --- linux-2.4.20/drivers/char/vt.c 2002-11-28 18:53:12.000000000 -0500 +++ linux-2.4.20/drivers/char/vt.c 2003-02-12 23:36:37.000000000 -0500 @@ -32,6 +32,7 @@ #include #include #include +#include #ifdef CONFIG_FB_COMPAT_XPMAC #include @@ -443,7 +444,11 @@ * to be the owner of the tty, or super-user. */ perm = 0; +#ifdef CONFIG_GRKERNSEC + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) +#else if (current->tty == tty || suser()) +#endif perm = 1; kbd = kbd_table + console; @@ -1038,12 +1043,20 @@ return do_unimap_ioctl(cmd, (struct unimapdesc *)arg, perm); case VT_LOCKSWITCH: +#ifdef CONFIG_GRKERNSEC + if (!capable(CAP_SYS_TTY_CONFIG)) +#else if (!suser()) +#endif return -EPERM; vt_dont_switch = 1; return 0; case VT_UNLOCKSWITCH: +#ifdef CONFIG_GRKERNSEC + if (!capable(CAP_SYS_TTY_CONFIG)) +#else if (!suser()) +#endif return -EPERM; vt_dont_switch = 0; return 0; diff -urN linux-2.4.20/drivers/pci/proc.c linux-2.4.20/drivers/pci/proc.c --- linux-2.4.20/drivers/pci/proc.c 2002-11-28 18:53:14.000000000 -0500 +++ linux-2.4.20/drivers/pci/proc.c 2003-02-12 23:36:37.000000000 -0500 @@ -562,7 +562,15 @@ pci_for_each_dev(dev) { pci_proc_attach_device(dev); } +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("pci", S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL); +#endif +#else entry = create_proc_entry("pci", 0, NULL); +#endif if (entry) entry->proc_fops = &proc_pci_operations; } diff -urN linux-2.4.20/fs/binfmt_aout.c linux-2.4.20/fs/binfmt_aout.c --- linux-2.4.20/fs/binfmt_aout.c 2001-11-02 20:39:20.000000000 -0500 +++ linux-2.4.20/fs/binfmt_aout.c 2003-02-12 23:36:37.000000000 -0500 @@ -5,6 +5,7 @@ */ #include +#include #include #include @@ -113,10 +114,12 @@ /* If the size of the dump file exceeds the rlimit, then see what would happen if we wrote the stack, but not the data area. */ #ifdef __sparc__ + gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize); if ((dump.u_dsize+dump.u_ssize) > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_dsize = 0; #else + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE); if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_dsize = 0; @@ -124,10 +127,12 @@ /* Make sure we have enough room to write the stack and data areas. */ #ifdef __sparc__ + gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize); if ((dump.u_ssize) > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_ssize = 0; #else + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE); if ((dump.u_ssize+1) * PAGE_SIZE > current->rlim[RLIMIT_CORE].rlim_cur) dump.u_ssize = 0; @@ -276,6 +281,8 @@ rlim = current->rlim[RLIMIT_DATA].rlim_cur; if (rlim >= RLIM_INFINITY) rlim = ~0; + + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss); if (ex.a_data + ex.a_bss > rlim) return -ENOMEM; @@ -307,6 +314,24 @@ current->mm->mmap = NULL; compute_creds(bprm); current->flags &= ~PF_FORKNOEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) { + current->flags |= PF_PAX_PAGEEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (N_FLAGS(ex) & F_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(N_FLAGS(ex) & F_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + + } +#endif + #ifdef __sparc__ if (N_MAGIC(ex) == NMAGIC) { loff_t pos = fd_offset; @@ -393,7 +418,7 @@ down_write(¤t->mm->mmap_sem); error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data, - PROT_READ | PROT_WRITE | PROT_EXEC, + PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE, fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/fs/binfmt_elf.c linux-2.4.20/fs/binfmt_elf.c --- linux-2.4.20/fs/binfmt_elf.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/binfmt_elf.c 2003-02-12 23:36:37.000000000 -0500 @@ -11,6 +11,7 @@ #include +#include #include #include #include @@ -33,10 +34,13 @@ #include #include #include +#include +#include #include #include #include +#include #define DLINFO_ITEMS 13 @@ -86,6 +90,12 @@ if (end <= start) return; do_brk(start, end - start); + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + if (current->flags & PF_PAX_RANDEXEC) + do_mmap_pgoff(NULL, start + current->mm->delta_exec, 0UL, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_MIRROR, start); +#endif + } @@ -444,6 +454,11 @@ struct elfhdr interp_elf_ex; struct exec interp_ex; char passed_fileno[6]; + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + unsigned long load_addr_random = 0UL; + unsigned long load_bias_random = 0UL; +#endif /* Get the exec-header */ elf_ex = *((struct elfhdr *) bprm->buf); @@ -598,7 +613,79 @@ current->mm->end_data = 0; current->mm->end_code = 0; current->mm->mmap = NULL; + +#ifdef CONFIG_GRKERNSEC_PAX_ASLR + current->mm->delta_mmap = 0UL; + current->mm->delta_exec = 0UL; + current->mm->delta_stack = 0UL; +#endif + current->flags &= ~PF_FORKNOEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (!(elf_ex.e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) + current->flags |= PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (elf_ex.e_ident[EI_PAX] & EF_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(elf_ex.e_ident[EI_PAX] & EF_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_ASLR + if (!(elf_ex.e_ident[EI_PAX] & EF_PAX_RANDMMAP)) { + unsigned long delta; + current->flags |= PF_PAX_RANDMMAP; + +#ifdef CONFIG_SPARC64 +#define pax_delta_mask(delta, shift) \ + (current->thread.flags & SPARC_FLAG_32BIT) ? \ + ((delta & (((__u32)1 << (8*sizeof(__u32) - 4 - (shift + 1))) - 1)) << (shift + 1)) \ + : ((delta & ((1UL << (8*sizeof(unsigned long) - 22 - (shift + 1))) - 1)) << (shift + 1)) +#else +#define pax_delta_mask(delta, shift) \ + ((delta & ((1UL << (8*sizeof(unsigned long) - 4 - shift)) - 1)) << shift) +#endif + + delta = (unsigned long) arc4random(); + current->mm->delta_mmap = pax_delta_mask(delta, PAGE_SHIFT); + + delta = (unsigned long) arc4random(); + current->mm->delta_exec = pax_delta_mask(delta, PAGE_SHIFT); + + delta = (unsigned long) arc4random(); + current->mm->delta_stack = pax_delta_mask(delta, PAGE_SHIFT); +#undef pax_delta_mask + } +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if (!(elf_ex.e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) { + current->flags &= ~PF_PAX_PAGEEXEC; + current->flags |= PF_PAX_SEGMEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_ASLR + current->mm->delta_mmap &= 0x07FFFFFFUL; + current->mm->delta_exec &= 0x07FFFFFFUL; + current->mm->delta_stack &= 0x07FFFFFFUL; +#endif + + } +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + if ((elf_ex.e_ident[EI_PAX] & EF_PAX_RANDEXEC) && (elf_ex.e_type == ET_EXEC) && + (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC))) + current->flags |= PF_PAX_RANDEXEC; +#endif + + gr_set_pax_flags(current); + elf_entry = (unsigned long) elf_ex.e_entry; /* Do this so that we can load the interpreter, if need be. We will @@ -654,11 +741,84 @@ base, as well as whatever program they might try to exec. This is because the brk will follow the loader, and is not movable. */ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address at the default exe base if requested */ + if (current->flags & PF_PAX_RANDMMAP) { + load_bias = ELF_PAGESTART(0x08048000 - vaddr + current->mm->delta_exec); + elf_flags |= MAP_FIXED; + } +#endif + } - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags); - if (BAD_ADDR(error)) - continue; +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + if ((current->flags & PF_PAX_RANDEXEC) && (elf_ex.e_type == ET_EXEC)) { + unsigned long addr, len; + + error = -ENOMEM; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (current->flags & PF_PAX_PAGEEXEC) + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot & ~PROT_EXEC, elf_flags); +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if (current->flags & PF_PAX_SEGMEXEC) { + addr = ELF_PAGESTART(load_bias + vaddr); + len = elf_ppnt->p_filesz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr); + if (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len) + continue; + down_write(¤t->mm->mmap_sem); + error = do_mmap_pgoff(bprm->file, addr, len, elf_prot, elf_flags, (elf_ppnt->p_offset - ELF_PAGEOFFSET(elf_ppnt->p_vaddr)) >> PAGE_SHIFT); + up_write(¤t->mm->mmap_sem); + } +#endif + + if (BAD_ADDR(error)) + continue; + + /* PaX: mirror at a randomized base */ + down_write(¤t->mm->mmap_sem); + + if (!load_addr_set) { + load_addr_random = get_unmapped_area(bprm->file, 0UL, elf_ppnt->p_filesz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr), (elf_ppnt->p_offset - ELF_PAGEOFFSET(elf_ppnt->p_vaddr)) >> PAGE_SHIFT, MAP_PRIVATE); + if (BAD_ADDR(load_addr_random)) { + up_write(¤t->mm->mmap_sem); + continue; + } + load_bias_random = load_addr_random - vaddr; + } + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (current->flags & PF_PAX_PAGEEXEC) + load_addr_random = do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if (current->flags & PF_PAX_SEGMEXEC) { + if (elf_prot & PROT_EXEC) { + load_addr_random = do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), elf_ppnt->p_memsz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr), PROT_NONE, MAP_PRIVATE | MAP_FIXED, 0UL); + if (!BAD_ADDR(load_addr_random)) { + load_addr_random = do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr + SEGMEXEC_TASK_SIZE), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); + if (!BAD_ADDR(load_addr_random)) + load_addr_random -= SEGMEXEC_TASK_SIZE; + } + } else + load_addr_random = do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error); + } +#endif + + up_write(¤t->mm->mmap_sem); + if (BAD_ADDR(load_addr_random)) + continue; + } else +#endif + { + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags); + if (BAD_ADDR(error)) + continue; + } if (!load_addr_set) { load_addr_set = 1; @@ -668,6 +828,11 @@ ELF_PAGESTART(load_bias + vaddr); load_addr += load_bias; } + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + current->mm->delta_exec = load_addr_random - load_addr; +#endif + } k = elf_ppnt->p_vaddr; if (k < start_code) start_code = k; @@ -694,6 +859,13 @@ start_data += load_bias; end_data += load_bias; + /* Calling set_brk effectively mmaps the pages that we need + * for the bss and break sections + */ + set_brk(elf_bss, elf_brk); + + padzero(elf_bss); + if (elf_interpreter) { if (interpreter_type == INTERPRETER_AOUT) elf_entry = load_aout_interp(&interp_ex, @@ -742,13 +914,6 @@ current->mm->end_data = end_data; current->mm->start_stack = bprm->p; - /* Calling set_brk effectively mmaps the pages that we need - * for the bss and break sections - */ - set_brk(elf_bss, elf_brk); - - padzero(elf_bss); - #if 0 printk("(start_brk) %lx\n" , (long) current->mm->start_brk); printk("(end_code) %lx\n" , (long) current->mm->end_code); @@ -781,6 +946,10 @@ ELF_PLAT_INIT(regs); #endif +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + pax_reload_gdt(current); +#endif + start_thread(regs, elf_entry, bprm->p); if (current->ptrace & PT_PTRACED) send_sig(SIGTRAP, current, 0); @@ -1003,8 +1172,11 @@ #undef DUMP_SEEK #define DUMP_WRITE(addr, nr) \ + do { \ + gr_learn_resource(current, RLIMIT_CORE, size + (nr)); \ if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \ - goto end_coredump; + goto end_coredump; \ + } while (0); #define DUMP_SEEK(off) \ if (!dump_seek(file, (off))) \ goto end_coredump; diff -urN linux-2.4.20/fs/buffer.c linux-2.4.20/fs/buffer.c --- linux-2.4.20/fs/buffer.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/buffer.c 2003-02-12 23:36:37.000000000 -0500 @@ -1786,6 +1786,9 @@ int err; err = -EFBIG; + + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size); + limit = current->rlim[RLIMIT_FSIZE].rlim_cur; if (limit != RLIM_INFINITY && size > (loff_t)limit) { send_sig(SIGXFSZ, current, 0); diff -urN linux-2.4.20/fs/exec.c linux-2.4.20/fs/exec.c --- linux-2.4.20/fs/exec.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/exec.c 2003-02-12 23:36:37.000000000 -0500 @@ -41,6 +41,9 @@ #include #include #include +#include +#include +#include #ifdef CONFIG_KMOD #include @@ -299,6 +302,11 @@ lru_cache_add(page); flush_dcache_page(page); flush_page_to_ram(page); +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (tsk->flags & PF_PAX_PAGEEXEC) + set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY_NOEXEC)))); + else +#endif set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY)))); tsk->mm->rss++; spin_unlock(&tsk->mm->page_table_lock); @@ -334,8 +342,14 @@ mpnt->vm_mm = current->mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; mpnt->vm_end = STACK_TOP; - mpnt->vm_page_prot = PAGE_COPY; mpnt->vm_flags = VM_STACK_FLAGS; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (!(current->flags & PF_PAX_PAGEEXEC)) + mpnt->vm_page_prot = protection_map[(mpnt->vm_flags | VM_EXEC) & 0x0f]; + else +#endif + mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x0f]; mpnt->vm_ops = NULL; mpnt->vm_pgoff = 0; mpnt->vm_file = NULL; @@ -584,6 +598,30 @@ } current->comm[i] = '\0'; +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + current->flags &= ~PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + current->flags &= ~PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + current->flags &= ~PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_ASLR + current->flags &= ~PF_PAX_RANDMMAP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + current->flags &= ~PF_PAX_RANDEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + current->flags &= ~PF_PAX_SEGMEXEC; +#endif + flush_thread(); de_thread(current); @@ -681,6 +719,9 @@ cap_set_full(bprm->cap_effective); } + if (gr_handle_ptrace_exec(bprm->file->f_dentry, bprm->file->f_vfsmnt)) + return -EACCES; + memset(bprm->buf,0,BINPRM_BUF_SIZE); return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); } @@ -886,7 +927,30 @@ if (IS_ERR(file)) return retval; + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes)); + + if (gr_handle_nproc()) { + allow_write_access(file); + fput(file); + return -EAGAIN; + } + + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) { + allow_write_access(file); + fput(file); + return -EACCES; + } + bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); + +#ifdef CONFIG_GRKERNSEC_PAX_RANDUSTACK + { + unsigned short delta; + get_random_bytes(&delta, sizeof(delta)); + bprm.p -= (delta & ~(sizeof(void *)-1)) & ~PAGE_MASK; + } +#endif + memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); bprm.file = file; @@ -910,11 +974,28 @@ if (retval < 0) goto out; + if (!gr_tpe_allow(file)) { + retval = -EACCES; + goto out; + } + + if(gr_check_crash_exec(file)) { + retval = -EACCES; + goto out; + } + retval = copy_strings_kernel(1, &bprm.filename, &bprm); if (retval < 0) goto out; bprm.exec = bprm.p; + + gr_set_proc_label(file->f_dentry, file->f_vfsmnt); + + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt); + + gr_handle_exec_args(&bprm, argv); + retval = copy_strings(bprm.envc, envp, &bprm); if (retval < 0) goto out; @@ -968,6 +1049,7 @@ if (!current->mm->dumpable) goto fail; current->mm->dumpable = 0; + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump); if (current->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump) goto fail; @@ -989,7 +1071,7 @@ goto close_fail; if (!file->f_op->write) goto close_fail; - if (do_truncate(file->f_dentry, 0) != 0) + if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0) goto close_fail; retval = binfmt->core_dump(signr, regs, file); diff -urN linux-2.4.20/fs/fcntl.c linux-2.4.20/fs/fcntl.c --- linux-2.4.20/fs/fcntl.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/fcntl.c 2003-02-12 23:36:37.000000000 -0500 @@ -11,6 +11,7 @@ #include #include #include +#include #include #include @@ -67,6 +68,7 @@ write_lock(&files->file_lock); error = -EINVAL; + gr_learn_resource(current, RLIMIT_NOFILE, orig_start); if (orig_start >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; @@ -86,6 +88,7 @@ } error = -EMFILE; + gr_learn_resource(current, RLIMIT_NOFILE, newfd); if (newfd >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; @@ -148,6 +151,7 @@ if (newfd == oldfd) goto out_unlock; err = -EBADF; + gr_learn_resource(current, RLIMIT_NOFILE, newfd); if (newfd >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out_unlock; get_file(file); /* We are now finished with oldfd */ @@ -448,6 +452,8 @@ match = -p->pgrp; if (pid != match) continue; + if (gr_pid_is_chrooted(p)) + continue; send_sigio_to_task(p, fown, fd, band); } out: diff -urN linux-2.4.20/fs/locks.c linux-2.4.20/fs/locks.c --- linux-2.4.20/fs/locks.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/locks.c 2003-02-12 23:36:37.000000000 -0500 @@ -138,6 +138,7 @@ static struct file_lock *locks_alloc_lock(int account) { struct file_lock *fl; + if(account) gr_learn_resource(current, RLIMIT_LOCKS, current->locks); if (account && current->locks >= current->rlim[RLIMIT_LOCKS].rlim_cur) return NULL; fl = kmem_cache_alloc(filelock_cache, SLAB_KERNEL); diff -urN linux-2.4.20/fs/namei.c linux-2.4.20/fs/namei.c --- linux-2.4.20/fs/namei.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/namei.c 2003-02-12 23:36:37.000000000 -0500 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -343,6 +344,13 @@ current->state = TASK_RUNNING; schedule(); } + + if (gr_handle_follow_link(dentry->d_parent->d_inode, + dentry->d_inode, dentry, nd->mnt)) { + path_release(nd); + return -EACCES; + } + current->link_count++; current->total_link_count++; UPDATE_ATIME(dentry->d_inode); @@ -641,6 +649,10 @@ } } return_base: + if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) { + path_release(nd); + return -ENOENT; + } return 0; out_dput: dput(dentry); @@ -1003,7 +1015,7 @@ struct dentry *dentry; struct dentry *dir; int count = 0; - + acc_mode = ACC_MODE(flag); /* @@ -1013,7 +1025,21 @@ error = path_lookup(pathname, lookup_flags(flag), nd); if (error) return error; + + if (gr_acl_is_enabled() && nd->dentry->d_inode && + S_ISBLK(nd->dentry->d_inode->i_mode) && + !capable(CAP_SYS_RAWIO)) { + error = -EPERM; + goto exit; + } + + if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) { + error = -EACCES; + goto exit; + } + dentry = nd->dentry; + goto ok; } @@ -1046,8 +1072,17 @@ /* Negative dentry, just create the file */ if (!dentry->d_inode) { + if (!gr_acl_handle_creat(dentry, nd->dentry, nd->mnt, flag)) { + error = -EACCES; + up(&dir->d_inode->i_sem); + goto exit_dput; + } + error = vfs_create(dir->d_inode, dentry, mode & ~current->fs->umask); + if (!error) + gr_handle_create(dentry, nd->mnt); + up(&dir->d_inode->i_sem); dput(nd->dentry); nd->dentry = dentry; @@ -1056,12 +1091,35 @@ /* Don't check for write permission, don't truncate */ acc_mode = 0; flag &= ~O_TRUNC; + goto ok; } /* * It already exists. */ + + if (gr_acl_is_enabled() && S_ISBLK(dentry->d_inode->i_mode) && + !capable(CAP_SYS_RAWIO)) { + error = -EPERM; + up(&dir->d_inode->i_sem); + goto exit_dput; + } + + if (!gr_acl_handle_open(dentry, nd->mnt, flag)) { + error = -EACCES; + up(&dir->d_inode->i_sem); + goto exit_dput; + } + + inode = dentry->d_inode; + + if (gr_handle_fifo(dentry, nd->mnt, dir, flag, acc_mode)) { + up(&dir->d_inode->i_sem); + error = -EACCES; + goto exit_dput; + } + up(&dir->d_inode->i_sem); error = -EEXIST; @@ -1151,7 +1209,7 @@ if (!error) { DQUOT_INIT(inode); - error = do_truncate(dentry, 0); + error = do_truncate(dentry,0,nd->mnt); } put_write_access(inode); if (error) @@ -1182,6 +1240,13 @@ * stored in nd->last.name and we will have to putname() it when we * are done. Procfs-like symlinks just set LAST_BIND. */ + + if (gr_handle_follow_link(dentry->d_parent->d_inode, dentry->d_inode, + dentry, nd->mnt)) { + error = -EACCES; + goto exit_dput; + } + UPDATE_ATIME(dentry->d_inode); error = dentry->d_inode->i_op->follow_link(dentry, nd); dput(dentry); @@ -1280,6 +1345,18 @@ mode &= ~current->fs->umask; if (!IS_ERR(dentry)) { + if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) { + error = -EPERM; + dput(dentry); + goto out_dput; + } + + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt)) { + error = -EACCES; + dput(dentry); + goto out_dput; + } + switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(nd.dentry->d_inode,dentry,mode); @@ -1293,8 +1370,13 @@ default: error = -EINVAL; } + + if(!error) + gr_handle_create(dentry, nd.mnt); + dput(dentry); } +out_dput: up(&nd.dentry->d_inode->i_sem); path_release(&nd); out: @@ -1346,8 +1428,17 @@ dentry = lookup_create(&nd, 1); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_mkdir(nd.dentry->d_inode, dentry, + error = 0; + + if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) + error = -EACCES; + + if(!error) + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode & ~current->fs->umask); + if(!error) + gr_handle_create(dentry, nd.mnt); + dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1431,6 +1522,8 @@ char * name; struct dentry *dentry; struct nameidata nd; + ino_t saved_ino = 0; + kdev_t saved_dev = 0; name = getname(pathname); if(IS_ERR(name)) @@ -1455,7 +1548,20 @@ dentry = lookup_hash(&nd.last, nd.dentry); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_rmdir(nd.dentry->d_inode, dentry); + error = 0; + if (dentry->d_inode) { + saved_ino = dentry->d_inode->i_ino; + saved_dev = dentry->d_inode->i_dev; + + if (!gr_acl_handle_rmdir(dentry, nd.mnt)) + error = -EACCES; + } + + if (!error) + error = vfs_rmdir(nd.dentry->d_inode, dentry); + if (!error && (saved_dev || saved_ino)) + gr_handle_delete(saved_ino,saved_dev); + dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1499,6 +1605,8 @@ char * name; struct dentry *dentry; struct nameidata nd; + ino_t saved_ino = 0; + kdev_t saved_dev = 0; name = getname(pathname); if(IS_ERR(name)) @@ -1517,7 +1625,19 @@ /* Why not before? Because we want correct error value */ if (nd.last.name[nd.last.len]) goto slashes; - error = vfs_unlink(nd.dentry->d_inode, dentry); + error = 0; + if (dentry->d_inode) { + saved_ino = dentry->d_inode->i_ino; + saved_dev = dentry->d_inode->i_dev; + + if (!gr_acl_handle_unlink(dentry, nd.mnt)) + error = -EACCES; + } + + if (!error) + error = vfs_unlink(nd.dentry->d_inode, dentry); + if (!error && (saved_ino || saved_dev)) + gr_handle_delete(saved_ino,saved_dev); exit2: dput(dentry); } @@ -1581,7 +1701,15 @@ dentry = lookup_create(&nd, 0); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_symlink(nd.dentry->d_inode, dentry, from); + error = 0; + + if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) + error = -EACCES; + + if(!error) + error = vfs_symlink(nd.dentry->d_inode, dentry, from); + if (!error) + gr_handle_create(dentry, nd.mnt); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1665,7 +1793,27 @@ new_dentry = lookup_create(&nd, 0); error = PTR_ERR(new_dentry); if (!IS_ERR(new_dentry)) { - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); + error = 0; + + if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt, + old_nd.dentry->d_inode, + old_nd.dentry->d_inode->i_mode, to)) { + error = -EPERM; + goto out_error; + } + + if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt, + old_nd.dentry, old_nd.mnt, to)) { + error = -EACCES; + goto out_error; + } + + error = vfs_link(old_nd.dentry, + nd.dentry->d_inode, new_dentry); + + if (!error) + gr_handle_create(new_dentry, nd.mnt); +out_error: dput(new_dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1896,10 +2044,15 @@ if (IS_ERR(new_dentry)) goto exit4; - lock_kernel(); - error = vfs_rename(old_dir->d_inode, old_dentry, + error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt, + old_dentry, old_dir->d_inode, oldnd.mnt, newname); + + if (error == 1) { + lock_kernel(); + error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); - unlock_kernel(); + unlock_kernel(); + } dput(new_dentry); exit4: diff -urN linux-2.4.20/fs/namespace.c linux-2.4.20/fs/namespace.c --- linux-2.4.20/fs/namespace.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/namespace.c 2003-02-12 23:36:37.000000000 -0500 @@ -15,6 +15,8 @@ #include #include #include +#include +#include #include @@ -322,6 +324,8 @@ lock_kernel(); retval = do_remount_sb(sb, MS_RDONLY, 0); unlock_kernel(); + + gr_log_remount(mnt->mnt_devname, retval); } up_write(&sb->s_umount); return retval; @@ -347,6 +351,9 @@ } spin_unlock(&dcache_lock); up_write(¤t->namespace->sem); + + gr_log_unmount(mnt->mnt_devname, retval); + return retval; } @@ -726,6 +733,12 @@ if (retval) return retval; + if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) { + retval = -EPERM; + path_release(&nd); + return retval; + } + if (flags & MS_REMOUNT) retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, data_page); @@ -737,6 +750,9 @@ retval = do_add_mount(&nd, type_page, flags, mnt_flags, dev_name, data_page); path_release(&nd); + + gr_log_mount(dev_name, dir_name, retval); + return retval; } @@ -906,6 +922,9 @@ if (!capable(CAP_SYS_ADMIN)) return -EPERM; + if (gr_handle_chroot_pivot()) + return -EPERM; + lock_kernel(); error = __user_walk(new_root, LOOKUP_POSITIVE|LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd); diff -urN linux-2.4.20/fs/open.c linux-2.4.20/fs/open.c --- linux-2.4.20/fs/open.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/open.c 2003-02-12 23:36:37.000000000 -0500 @@ -15,6 +15,7 @@ #include #include #include +#include #include @@ -95,7 +96,7 @@ write_unlock(&files->file_lock); } -int do_truncate(struct dentry *dentry, loff_t length) +int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt) { struct inode *inode = dentry->d_inode; int error; @@ -105,6 +106,9 @@ if (length < 0) return -EINVAL; + if (!gr_acl_handle_truncate(dentry, mnt)) + return -EACCES; + down(&inode->i_sem); newattrs.ia_size = length; newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; @@ -163,7 +167,7 @@ error = locks_verify_truncate(inode, NULL, length); if (!error) { DQUOT_INIT(inode); - error = do_truncate(nd.dentry, length); + error = do_truncate(nd.dentry, length, nd.mnt); } put_write_access(inode); @@ -215,7 +219,7 @@ error = locks_verify_truncate(inode, file, length); if (!error) - error = do_truncate(dentry, length); + error = do_truncate(dentry, length, file->f_vfsmnt); out_putf: fput(file); out: @@ -284,6 +288,12 @@ (error = permission(inode,MAY_WRITE)) != 0) goto dput_and_out; } + + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) { + error = -EACCES; + goto dput_and_out; + } + error = notify_change(nd.dentry, &newattrs); dput_and_out: path_release(&nd); @@ -329,6 +339,12 @@ (error = permission(inode,MAY_WRITE)) != 0) goto dput_and_out; } + + if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) { + error = -EACCES; + goto dput_and_out; + } + error = notify_change(nd.dentry, &newattrs); dput_and_out: path_release(&nd); @@ -371,6 +387,10 @@ if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode) && !special_file(nd.dentry->d_inode->i_mode)) res = -EROFS; + + if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode)) + res = -EACCES; + path_release(&nd); } @@ -394,6 +414,8 @@ if (error) goto dput_and_out; + gr_log_chdir(nd.dentry, nd.mnt); + set_fs_pwd(current->fs, nd.mnt, nd.dentry); dput_and_out: @@ -424,6 +446,13 @@ goto out_putf; error = permission(inode, MAY_EXEC); + + if (!error && !gr_chroot_fchdir(dentry, mnt)) + error = -EPERM; + + if (!error) + gr_log_chdir(dentry, mnt); + if (!error) set_fs_pwd(current->fs, mnt, dentry); out_putf: @@ -450,8 +479,16 @@ if (!capable(CAP_SYS_CHROOT)) goto dput_and_out; + if (gr_handle_chroot_chroot(nd.dentry, nd.mnt)) + goto dput_and_out; + set_fs_root(current->fs, nd.mnt, nd.dentry); set_fs_altroot(); + + gr_handle_chroot_caps(); + + gr_handle_chroot_chdir(nd.dentry, nd.mnt); + error = 0; dput_and_out: path_release(&nd); @@ -480,8 +517,20 @@ err = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out_putf; + + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt)) { + err = -EACCES; + goto out_putf; + } + if (mode == (mode_t) -1) mode = inode->i_mode; + + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) { + err = -EPERM; + goto out_putf; + } + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); @@ -512,8 +561,19 @@ if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto dput_and_out; + if (!gr_acl_handle_chmod(nd.dentry, nd.mnt)) { + error = -EACCES; + goto dput_and_out; + } + if (mode == (mode_t) -1) mode = inode->i_mode; + + if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) { + error = -EACCES; + goto dput_and_out; + } + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.dentry, &newattrs); @@ -524,7 +584,7 @@ return error; } -static int chown_common(struct dentry * dentry, uid_t user, gid_t group) +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) { struct inode * inode; int error; @@ -541,6 +601,12 @@ error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out; + + if (!gr_acl_handle_chown(dentry, mnt)) { + error = -EACCES; + goto out; + } + if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) @@ -591,7 +657,7 @@ error = user_path_walk(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -604,7 +670,7 @@ error = user_path_walk_link(filename, &nd); if (!error) { - error = chown_common(nd.dentry, user, group); + error = chown_common(nd.dentry, user, group, nd.mnt); path_release(&nd); } return error; @@ -618,7 +684,8 @@ file = fget(fd); if (file) { - error = chown_common(file->f_dentry, user, group); + error = chown_common(file->f_dentry, user, + group, file->f_vfsmnt); fput(file); } return error; @@ -738,6 +805,7 @@ * N.B. For clone tasks sharing a files structure, this test * will limit the total number of files that can be opened. */ + gr_learn_resource(current, RLIMIT_NOFILE, fd); if (fd >= current->rlim[RLIMIT_NOFILE].rlim_cur) goto out; diff -urN linux-2.4.20/fs/proc/array.c linux-2.4.20/fs/proc/array.c --- linux-2.4.20/fs/proc/array.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/proc/array.c 2003-02-12 23:36:37.000000000 -0500 @@ -541,7 +541,12 @@ #define MAPS_LINE_FORMAT (sizeof(void*) == 4 ? MAPS_LINE_FORMAT4 : MAPS_LINE_FORMAT8) #define MAPS_LINE_MAX (sizeof(void*) == 4 ? MAPS_LINE_MAX4 : MAPS_LINE_MAX8) +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP +static int proc_pid_maps_get_line (char *buf, struct vm_area_struct *map, + struct task_struct *task) +#else static int proc_pid_maps_get_line (char *buf, struct vm_area_struct *map) +#endif { /* produce the next line */ char *line; @@ -574,6 +579,16 @@ } else line = buf; +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP + if (task->flags & PF_PAX_RANDMMAP || + task->flags & PF_PAX_SEGMEXEC || + task->flags & PF_PAX_RANDEXEC) + len = sprintf(line, + MAPS_LINE_FORMAT, + 0UL, 0UL, str, 0UL, + kdevname(dev), ino); + else +#endif len = sprintf(line, MAPS_LINE_FORMAT, map->vm_start, map->vm_end, str, map->vm_pgoff << PAGE_SHIFT, @@ -639,7 +654,11 @@ off -= PAGE_SIZE; goto next; } +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP + len = proc_pid_maps_get_line(tmp, map, task); +#else len = proc_pid_maps_get_line(tmp, map); +#endif len -= off; if (len > 0) { if (retval+len > count) { diff -urN linux-2.4.20/fs/proc/base.c linux-2.4.20/fs/proc/base.c --- linux-2.4.20/fs/proc/base.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/proc/base.c 2003-02-12 23:36:37.000000000 -0500 @@ -25,6 +25,7 @@ #include #include #include +#include /* * For hysterical raisins we keep the same inumbers as in the old procfs. @@ -228,9 +229,21 @@ static int proc_permission(struct inode *inode, int mask) { + struct task_struct *task; + int ret; + if (vfs_permission(inode, mask) != 0) return -EACCES; - return proc_check_root(inode); + ret = proc_check_root(inode); + if (ret) + return ret; + + task = inode->u.proc_i.task; + + if (!task) + return 0; + + return gr_acl_handle_procpidmem(task); } static ssize_t pid_maps_read(struct file * file, char * buf, @@ -710,10 +723,17 @@ get_task_struct(task); inode->u.proc_i.task = task; inode->i_uid = 0; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = 0; +#endif + if (ino == PROC_PID_INO || task_dumpable(task)) { inode->i_uid = task->euid; +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP inode->i_gid = task->egid; +#endif } out: @@ -1019,13 +1039,34 @@ if (!task) goto out; + if(gr_check_hidden_task(task)) { + free_task_struct(task); + goto out; + } + +#ifdef CONFIG_GRKERNSEC_PROC + if (current->uid && (task->uid != current->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) { + free_task_struct(task); + goto out; + } +#endif inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO); free_task_struct(task); if (!inode) goto out; +#ifdef CONFIG_GRKERNSEC_PROC_USER + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_base_inode_operations; inode->i_fop = &proc_base_operations; inode->i_nlink = 3; @@ -1065,6 +1106,18 @@ int pid = p->pid; if (!pid) continue; + if(gr_pid_is_chrooted(p)) + continue; + if(gr_check_hidden_task(p)) + continue; +#ifdef CONFIG_GRKERNSEC_PROC + if (current->uid && (p->uid != current->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) + continue; +#endif if (--index >= 0) continue; pids[nr_pids] = pid; diff -urN linux-2.4.20/fs/proc/generic.c linux-2.4.20/fs/proc/generic.c --- linux-2.4.20/fs/proc/generic.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/proc/generic.c 2003-02-12 23:36:37.000000000 -0500 @@ -493,6 +493,29 @@ return ent; } +#ifdef CONFIG_GRKERNSEC_PROC +struct proc_dir_entry *proc_priv_mkdir(const char *name, struct proc_dir_entry *parent) +{ + struct proc_dir_entry *ent; + mode_t mode = 0; + +#ifdef CONFIG_GRKERNSEC_PROC_USER + mode = S_IFDIR | S_IRUSR | S_IXUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + mode = S_IFDIR | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP; +#endif + + ent = proc_create(&parent, name, mode, 2); + if (ent) { + ent->proc_fops = &proc_dir_operations; + ent->proc_iops = &proc_dir_inode_operations; + + proc_register(parent, ent); + } + return ent; +} +#endif + struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode, struct proc_dir_entry *parent) { diff -urN linux-2.4.20/fs/proc/inode.c linux-2.4.20/fs/proc/inode.c --- linux-2.4.20/fs/proc/inode.c 2001-11-17 14:24:32.000000000 -0500 +++ linux-2.4.20/fs/proc/inode.c 2003-02-12 23:36:37.000000000 -0500 @@ -152,7 +152,11 @@ if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = de->gid; +#endif } if (de->size) inode->i_size = de->size; diff -urN linux-2.4.20/fs/proc/proc_misc.c linux-2.4.20/fs/proc/proc_misc.c --- linux-2.4.20/fs/proc/proc_misc.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/fs/proc/proc_misc.c 2003-02-12 23:36:37.000000000 -0500 @@ -545,6 +545,7 @@ void __init proc_misc_init(void) { struct proc_dir_entry *entry; + int gr_mode = 0; static struct { char *name; int (*read_proc)(char*,char**,off_t,int,int*,void*); @@ -559,48 +560,81 @@ #ifdef CONFIG_STRAM_PROC {"stram", stram_read_proc}, #endif -#ifdef CONFIG_MODULES +#if defined(CONFIG_MODULES) && !defined(CONFIG_GRKERNSEC_PROC) {"modules", modules_read_proc}, #endif {"stat", kstat_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"devices", devices_read_proc}, -#if !defined(CONFIG_ARCH_S390) +#endif +#if !defined(CONFIG_ARCH_S390) && !defined(CONFIG_GRKERNSEC_PROC_ADD) {"interrupts", interrupts_read_proc}, #endif {"filesystems", filesystems_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"dma", dma_read_proc}, {"ioports", ioports_read_proc}, {"cmdline", cmdline_read_proc}, +#endif #ifdef CONFIG_SGI_DS1286 {"rtc", ds1286_read_proc}, #endif {"locks", locks_read_proc}, {"swaps", swaps_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"iomem", memory_read_proc}, +#endif {"execdomains", execdomains_read_proc}, {NULL,} }; for (p = simple_ones; p->name; p++) create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); +#ifdef CONFIG_GRKERNSEC_PROC_USER + gr_mode = S_IRUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + gr_mode = S_IRUSR | S_IRGRP; +#endif + +#if defined(CONFIG_GRKERNSEC_PROC) && defined(CONFIG_MODULES) + create_proc_read_entry("modules", gr_mode, NULL, &modules_read_proc, NULL); +#endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD + create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL); + create_proc_read_entry("dma", gr_mode, NULL, &dma_read_proc, NULL); + create_proc_read_entry("ioports", gr_mode, NULL, &ioports_read_proc, NULL); + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL); + create_proc_read_entry("iomem", gr_mode, NULL, &memory_read_proc, NULL); +#if !defined(CONFIG_ARCH_S390) + create_proc_read_entry("interrupts", gr_mode, NULL, &interrupts_read_proc, NULL); +#endif +#endif + proc_symlink("mounts", NULL, "self/mounts"); /* And now for trickier ones */ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root); if (entry) entry->proc_fops = &proc_kmsg_operations; +#ifdef CONFIG_GRKERNSEC_PROC_ADD + create_seq_entry("cpuinfo", gr_mode, &proc_cpuinfo_operations); + create_seq_entry("slabinfo", gr_mode,&proc_slabinfo_operations); +#else create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations); - create_seq_entry("partitions", 0, &proc_partitions_operations); create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations); +#endif + create_seq_entry("partitions", 0, &proc_partitions_operations); #ifdef CONFIG_MODULES - create_seq_entry("ksyms", 0, &proc_ksyms_operations); + create_seq_entry("ksyms", gr_mode, &proc_ksyms_operations); #endif +#ifndef CONFIG_GRKERNSEC_PROC_ADD proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL); if (proc_root_kcore) { proc_root_kcore->proc_fops = &proc_kcore_operations; proc_root_kcore->size = (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE; } +#endif if (prof_shift) { entry = create_proc_entry("profile", S_IWUSR | S_IRUGO, NULL); if (entry) { diff -urN linux-2.4.20/fs/proc/proc_tty.c linux-2.4.20/fs/proc/proc_tty.c --- linux-2.4.20/fs/proc/proc_tty.c 2000-04-21 18:17:57.000000000 -0400 +++ linux-2.4.20/fs/proc/proc_tty.c 2003-02-12 23:36:37.000000000 -0500 @@ -174,7 +174,11 @@ if (!proc_mkdir("tty", 0)) return; proc_tty_ldisc = proc_mkdir("tty/ldisc", 0); +#ifdef CONFIG_GRKERNSEC_PROC + proc_tty_driver = proc_priv_mkdir("tty/driver", 0); +#else proc_tty_driver = proc_mkdir("tty/driver", 0); +#endif create_proc_read_entry("tty/ldiscs", 0, 0, tty_ldiscs_read_proc,NULL); create_proc_read_entry("tty/drivers", 0, 0, tty_drivers_read_proc,NULL); diff -urN linux-2.4.20/fs/proc/root.c linux-2.4.20/fs/proc/root.c --- linux-2.4.20/fs/proc/root.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/proc/root.c 2003-02-12 23:36:37.000000000 -0500 @@ -37,13 +37,21 @@ return; } proc_misc_init(); +#ifdef CONFIG_GRKERNSEC_PROC + proc_net = proc_priv_mkdir("net", 0); +#else proc_net = proc_mkdir("net", 0); +#endif #ifdef CONFIG_SYSVIPC proc_mkdir("sysvipc", 0); #endif #ifdef CONFIG_SYSCTL +#ifdef CONFIG_GRKERNSEC_PROC + proc_sys_root = proc_priv_mkdir("sys", 0); +#else proc_sys_root = proc_mkdir("sys", 0); #endif +#endif #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE) proc_mkdir("sys/fs", 0); proc_mkdir("sys/fs/binfmt_misc", 0); @@ -67,7 +75,12 @@ #ifdef CONFIG_PPC_RTAS proc_rtas_init(); #endif + +#ifdef CONFIG_GRKERNSEC_PROC_ADD + proc_bus = proc_priv_mkdir("bus", 0); +#else proc_bus = proc_mkdir("bus", 0); +#endif } static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry) diff -urN linux-2.4.20/fs/readdir.c linux-2.4.20/fs/readdir.c --- linux-2.4.20/fs/readdir.c 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/fs/readdir.c 2003-02-12 23:36:37.000000000 -0500 @@ -10,6 +10,7 @@ #include #include #include +#include #include @@ -181,6 +182,7 @@ struct readdir_callback { struct old_linux_dirent * dirent; int count; + struct nameidata nd; }; static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset, @@ -191,6 +193,10 @@ if (buf->count) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + buf->count++; dirent = buf->dirent; put_user(ino, &dirent->d_ino); @@ -215,6 +221,9 @@ buf.count = 0; buf.dirent = dirent; + buf.nd.dentry = file->f_dentry; + buf.nd.mnt = file->f_vfsmnt; + error = vfs_readdir(file, fillonedir, &buf); if (error >= 0) error = buf.count; @@ -242,6 +251,7 @@ struct linux_dirent * previous; int count; int error; + struct nameidata nd; }; static int filldir(void * __buf, const char * name, int namlen, loff_t offset, @@ -254,6 +264,10 @@ buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + dirent = buf->previous; if (dirent) put_user(offset, &dirent->d_off); @@ -286,6 +300,9 @@ buf.count = count; buf.error = 0; + buf.nd.dentry = file->f_dentry; + buf.nd.mnt = file->f_vfsmnt; + error = vfs_readdir(file, filldir, &buf); if (error < 0) goto out_putf; @@ -320,6 +337,7 @@ struct linux_dirent64 * previous; int count; int error; + struct nameidata nd; }; static int filldir64(void * __buf, const char * name, int namlen, loff_t offset, @@ -332,6 +350,10 @@ buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; + + if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino)) + return 0; + dirent = buf->previous; if (dirent) { d.d_off = offset; @@ -369,6 +391,9 @@ buf.count = count; buf.error = 0; + buf.nd.mnt = file->f_vfsmnt; + buf.nd.dentry = file->f_dentry; + error = vfs_readdir(file, filldir64, &buf); if (error < 0) goto out_putf; diff -urN linux-2.4.20/grsecurity/Config.in linux-2.4.20/grsecurity/Config.in --- linux-2.4.20/grsecurity/Config.in 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/Config.in 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,327 @@ +choice 'Security level' \ + "Low CONFIG_GRKERNSEC_LOW \ + Medium CONFIG_GRKERNSEC_MID \ + High CONFIG_GRKERNSEC_HI \ + Customized CONFIG_GRKERNSEC_CUSTOM" Customized +if [ "$CONFIG_GRKERNSEC_LOW" = "y" ]; then +define_bool CONFIG_GRKERNSEC_RANDSRC n +define_bool CONFIG_GRKERNSEC_RANDRPC n +define_bool CONFIG_GRKERNSEC_RANDPING n +define_bool CONFIG_GRKERNSEC_FORKFAIL n +define_bool CONFIG_GRKERNSEC_TIME n +define_bool CONFIG_GRKERNSEC_SIGNAL n +define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT n +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT n +define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR n +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE n +define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT n +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD n +define_bool CONFIG_GRKERNSEC_PROC n +define_bool CONFIG_GRKERNSEC_PROC_MEMMAP n +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n +define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL n +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n +define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_PROC_ADD n +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n +define_bool CONFIG_GRKERNSEC_CHROOT_NICE n +define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK n +define_bool CONFIG_GRKERNSEC_PAX_RANDUSTACK n +define_bool CONFIG_GRKERNSEC_PAX_RANDKSTACK n +define_bool CONFIG_GRKERNSEC_PAX_ASLR n +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP n +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_IO n +define_bool CONFIG_GRKERNSEC_PAX_NOEXEC n +define_bool CONFIG_GRKERNSEC_PAX_PAGEEXEC n +define_bool CONFIG_GRKERNSEC_PAX_RANDEXEC n +define_bool CONFIG_GRKERNSEC_PAX_SEGMEXEC n +define_bool CONFIG_GRKERNSEC_PAX_EMUTRAMP n +define_bool CONFIG_GRKERNSEC_PAX_EMUSIGRT n +define_bool CONFIG_GRKERNSEC_PAX_NOELFRELOCS n +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n +define_bool CONFIG_GRKERNSEC_RESLOG n +define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3 +define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30 + +define_int CONFIG_GRKERNSEC_FLOODTIME 10 +define_int CONFIG_GRKERNSEC_FLOODBURST 4 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_RANDNET y +define_bool CONFIG_GRKERNSEC_RANDISN n +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +fi +if [ "$CONFIG_GRKERNSEC_MID" = "y" ]; then +define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_PROC_MEMMAP n +define_bool CONFIG_GRKERNSEC_PROC_ADD n +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n +define_bool CONFIG_GRKERNSEC_CHROOT_NICE n +define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK n +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_IO n +define_bool CONFIG_GRKERNSEC_PAX_NOEXEC n +define_bool CONFIG_GRKERNSEC_PAX_PAGEEXEC n +define_bool CONFIG_GRKERNSEC_PAX_RANDEXEC n +define_bool CONFIG_GRKERNSEC_PAX_SEGMEXEC n +define_bool CONFIG_GRKERNSEC_PAX_EMUTRAMP n +define_bool CONFIG_GRKERNSEC_PAX_EMUSIGRT n +define_bool CONFIG_GRKERNSEC_PAX_NOELFRELOCS n +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n +define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL y +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR n +define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n +define_bool CONFIG_GRKERNSEC_RESLOG n +define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3 +define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30 + +define_int CONFIG_GRKERNSEC_FLOODTIME 10 +define_int CONFIG_GRKERNSEC_FLOODBURST 4 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_RANDNET y +define_bool CONFIG_GRKERNSEC_RANDISN y +define_bool CONFIG_GRKERNSEC_RANDSRC y +define_bool CONFIG_GRKERNSEC_RANDRPC y +define_bool CONFIG_GRKERNSEC_RANDPING y +define_bool CONFIG_GRKERNSEC_FORKFAIL y +define_bool CONFIG_GRKERNSEC_TIME y +define_bool CONFIG_GRKERNSEC_SIGNAL y +define_bool CONFIG_GRKERNSEC_CHROOT y +define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT n +define_bool CONFIG_GRKERNSEC_CHROOT_UNIX y +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y +define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT y +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y +define_bool CONFIG_GRKERNSEC_PROC y +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y +define_int CONFIG_GRKERNSEC_PROC_GID 10 +define_bool CONFIG_GRKERNSEC_PAX_RANDUSTACK y +define_bool CONFIG_GRKERNSEC_PAX_RANDKSTACK n +define_bool CONFIG_GRKERNSEC_PAX_ASLR y +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y +fi +if [ "$CONFIG_GRKERNSEC_HI" = "y" ]; then +define_int CONFIG_GRKERNSEC_FLOODTIME 10 +define_int CONFIG_GRKERNSEC_FLOODBURST 4 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_RANDSRC y +define_bool CONFIG_GRKERNSEC_RANDRPC y +define_bool CONFIG_GRKERNSEC_RANDPING y +define_bool CONFIG_GRKERNSEC_FORKFAIL y +define_bool CONFIG_GRKERNSEC_TIME y +define_bool CONFIG_GRKERNSEC_SIGNAL y +define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT y +define_bool CONFIG_GRKERNSEC_CHROOT_UNIX y +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y +define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR y +define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT y +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS y +define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL y +define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK y +define_bool CONFIG_GRKERNSEC_PROC y +define_bool CONFIG_GRKERNSEC_PROC_MEMMAP y +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y +define_int CONFIG_GRKERNSEC_PROC_GID 10 +define_bool CONFIG_GRKERNSEC_KMEM y +define_bool CONFIG_GRKERNSEC_RESLOG y +define_bool CONFIG_GRKERNSEC_RANDNET y +define_bool CONFIG_GRKERNSEC_RANDISN y + +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n +define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3 +define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30 + +define_bool CONFIG_GRKERNSEC_PROC_ADD y +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD y +define_bool CONFIG_GRKERNSEC_CHROOT_NICE y +define_bool CONFIG_GRKERNSEC_PAX_RANDUSTACK y +define_bool CONFIG_GRKERNSEC_PAX_RANDKSTACK y +define_bool CONFIG_GRKERNSEC_PAX_ASLR y +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_IO n +define_bool CONFIG_GRKERNSEC_PAX_NOEXEC y +define_bool CONFIG_GRKERNSEC_PAX_PAGEEXEC n +define_bool CONFIG_GRKERNSEC_PAX_RANDEXEC y +define_bool CONFIG_GRKERNSEC_PAX_SEGMEXEC y +define_bool CONFIG_GRKERNSEC_PAX_EMUTRAMP n +define_bool CONFIG_GRKERNSEC_PAX_EMUSIGRT n +define_bool CONFIG_GRKERNSEC_PAX_NOELFRELOCS n +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT y +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT y +fi +if [ "$CONFIG_GRKERNSEC_CUSTOM" = "y" ]; then +mainmenu_option next_comment +comment 'Address Space Protection' +if [ "$CONFIG_X86" = "y" ]; then + bool 'Enforce non-executable pages' CONFIG_GRKERNSEC_PAX_NOEXEC + if [ "$CONFIG_GRKERNSEC_PAX_NOEXEC" = "y" ]; then + bool 'Paging based non-executable pages' CONFIG_GRKERNSEC_PAX_PAGEEXEC + bool 'Segmentation based non-executable pages' CONFIG_GRKERNSEC_PAX_SEGMEXEC + if [ "$CONFIG_GRKERNSEC_PAX_PAGEEXEC" = "y" -o "$CONFIG_GRKERNSEC_PAX_SEGMEXEC" = "y" ]; then + bool ' Emulate trampolines' CONFIG_GRKERNSEC_PAX_EMUTRAMP + if [ "$CONFIG_GRKERNSEC_PAX_EMUTRAMP" = "y" ]; then + bool ' Automatically emulate sigreturn trampolines' CONFIG_GRKERNSEC_PAX_EMUSIGRT + fi + bool ' Restrict mprotect()' CONFIG_GRKERNSEC_PAX_MPROTECT + if [ "$CONFIG_GRKERNSEC_PAX_MPROTECT" = "y" ]; then + bool ' Disallow ELF text relocations (DANGEROUS)' CONFIG_GRKERNSEC_PAX_NOELFRELOCS + fi + fi + fi +fi +bool 'Address Space Layout Randomization' CONFIG_GRKERNSEC_PAX_ASLR +if [ "$CONFIG_GRKERNSEC_PAX_ASLR" = "y" ]; then + if [ "$CONFIG_X86_TSC" = "y" ]; then + bool ' Randomize kernel stack base' CONFIG_GRKERNSEC_PAX_RANDKSTACK + fi + bool ' Randomize user stack base' CONFIG_GRKERNSEC_PAX_RANDUSTACK + bool ' Randomize mmap() base' CONFIG_GRKERNSEC_PAX_RANDMMAP + if [ "$CONFIG_GRKERNSEC_PAX_RANDMMAP" = "y" -a "$CONFIG_GRKERNSEC_PAX_NOEXEC" = "y" ]; then + if [ "$CONFIG_GRKERNSEC_PAX_PAGEEXEC" = "y" -o "$CONFIG_GRKERNSEC_PAX_SEGMEXEC" = "y" ]; then + bool ' Randomize ET_EXEC base' CONFIG_GRKERNSEC_PAX_RANDEXEC + fi + fi +fi +bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM +if [ "$CONFIG_X86" = "y" ]; then + bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO + if [ "$CONFIG_GRKERNSEC_IO" = "y" ]; then + define_bool CONFIG_RTC y + fi +fi +bool 'Remove addresses from /proc/pid/maps' CONFIG_GRKERNSEC_PROC_MEMMAP +endmenu +mainmenu_option next_comment +comment 'ACL options' +bool 'Hide kernel processes' CONFIG_GRKERNSEC_ACL_HIDEKERN +int 'Maximum tries before password lockout' CONFIG_GRKERNSEC_ACL_MAXTRIES 3 +int 'Time to wait after max password tries, in seconds' CONFIG_GRKERNSEC_ACL_TIMEOUT 30 +endmenu +mainmenu_option next_comment +comment 'Filesystem Protections' +bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC +if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then +bool ' Restrict to user only' CONFIG_GRKERNSEC_PROC_USER +if [ "$CONFIG_GRKERNSEC_PROC_USER" != "n" ]; then +bool ' Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD +fi +if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then +bool ' Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP +if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then +int ' GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001 +bool ' Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD +fi +fi +fi +bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK +bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO +bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT +if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then +bool ' Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT +bool ' Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE +bool ' Deny pivot_root in chroot' CONFIG_GRKERNSEC_CHROOT_PIVOT +bool ' Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR +bool ' Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD +bool ' Deny fchdir out of chroot' CONFIG_GRKERNSEC_CHROOT_FCHDIR +bool ' Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD +bool ' Deny shmat() out of chroot' CONFIG_GRKERNSEC_CHROOT_SHMAT +bool ' Deny access to abstract AF_UNIX sockets out of chroot' CONFIG_GRKERNSEC_CHROOT_UNIX +bool ' Protect outside processes' CONFIG_GRKERNSEC_CHROOT_FINDTASK +bool ' Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE +bool ' Deny sysctl writes in chroot' CONFIG_GRKERNSEC_CHROOT_SYSCTL +bool ' Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS +fi +endmenu +mainmenu_option next_comment +comment 'Kernel Auditing' +bool 'Single group for auditing' CONFIG_GRKERNSEC_AUDIT_GROUP +if [ "$CONFIG_GRKERNSEC_AUDIT_GROUP" != "n" ]; then +int ' GID for auditing' CONFIG_GRKERNSEC_AUDIT_GID 1007 +fi +bool 'Exec logging' CONFIG_GRKERNSEC_EXECLOG +bool 'Resource logging' CONFIG_GRKERNSEC_RESLOG +bool 'Log execs within chroot' CONFIG_GRKERNSEC_CHROOT_EXECLOG +bool 'Chdir logging' CONFIG_GRKERNSEC_AUDIT_CHDIR +bool '(Un)Mount logging' CONFIG_GRKERNSEC_AUDIT_MOUNT +bool 'IPC logging' CONFIG_GRKERNSEC_AUDIT_IPC +bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL +bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL +bool 'Time change logging' CONFIG_GRKERNSEC_TIME +endmenu +mainmenu_option next_comment +comment 'Executable Protections' +bool 'Exec process limiting' CONFIG_GRKERNSEC_EXECVE +bool 'Dmesg(8) restriction' CONFIG_GRKERNSEC_DMESG +bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID +bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE +if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then +bool ' Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL +int ' GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005 +fi +endmenu +mainmenu_option next_comment +comment 'Network Protections' +bool 'Larger entropy pools' CONFIG_GRKERNSEC_RANDNET +bool 'Truly random TCP ISN selection' CONFIG_GRKERNSEC_RANDISN +bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID +bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC +bool 'Randomized RPC XIDs' CONFIG_GRKERNSEC_RANDRPC +bool 'Altered Ping IDs' CONFIG_GRKERNSEC_RANDPING +bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET +if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then +bool ' Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL +if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then +int ' GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004 +fi +bool ' Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT +if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then +int ' GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003 +fi +bool ' Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER +if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then +int ' GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002 +fi +fi +endmenu +if [ "$CONFIG_SYSCTL" != "n" ]; then +mainmenu_option next_comment +comment 'Sysctl support' +bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL +endmenu +fi +mainmenu_option next_comment +comment 'Miscellaneous Features' +int 'Seconds in between log messages (minimum)' CONFIG_GRKERNSEC_FLOODTIME 10 +int 'Number of messages in a burst (maximum)' CONFIG_GRKERNSEC_FLOODBURST 4 +endmenu +fi diff -urN linux-2.4.20/grsecurity/Makefile linux-2.4.20/grsecurity/Makefile --- linux-2.4.20/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/Makefile 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,23 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001, 2002, and 2003 it has been completely redesigned by +# Brad Spengler +# +# All code in this directory and various hooks inserted throughout the kernel +# are copyright Brad Spengler, and released under the GPL, unless otherwise +# noted (as in obsd_rand.c) + +O_TARGET := grsec.o + +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_rand.o grsec_sig.o grsec_sock.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o + +ifeq ($(CONFIG_GRKERNSEC),y) +obj-y += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o obsd_rand.o \ + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o +else +obj-y += grsec_disabled.o +endif + +include $(TOPDIR)/Rules.make diff -urN linux-2.4.20/grsecurity/gracl.c linux-2.4.20/grsecurity/gracl.c --- linux-2.4.20/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,1734 @@ +/* + * grsecurity/gracl.c + * Copyright Brad Spengler 2001, 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +static struct acl_subject_db acl_subj_set; +static struct acl_subject_label *subj_list_head; +static struct name_db name_set; +static struct name_db inodev_set; + +static struct admin_pw pwent; /* password entry */ + +static spinlock_t gr_proc_lock = SPIN_LOCK_UNLOCKED; +rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED; + +extern char *gr_shared_page[NR_CPUS]; + +static unsigned long gr_status = GR_STATUS_INIT; + +extern int chkpw(struct gr_arg *entry, struct admin_pw * pwent); + +#ifdef CONFIG_GRKERNSEC_RESLOG +extern __inline__ void gr_log_resource(const struct task_struct *task, + const int res, const unsigned long wanted); +#endif + +/* The special mode : admin(called god_label for historical reasons) mode */ + +static struct acl_subject_label *god_label = NULL; +static struct acl_subject_label *kernel_label = NULL; +static struct acl_subject_label *root_label = NULL; + +/* The following are used to keep a place held in the hash table when we move + entries around. They can be replaced during insert. */ + +static struct acl_subject_label *deleted_subject; +static struct acl_object_label *deleted_object; +static struct name_entry *deleted_inodev; + +extern int gr_init_uidset(void); +extern void gr_free_uidset(void); +extern void gr_remove_uid(uid_t uid); +extern int gr_find_uid(uid_t uid); + +__inline__ int gr_acl_is_enabled(void) +{ + return (gr_status & GR_READY); +} + +static __inline__ char * d_real_path(const struct dentry * dentry, const struct vfsmount * vfsmnt, + char * buf, int buflen) +{ + char *res; + struct dentry *our_dentry; + struct vfsmount *our_mount; + struct vfsmount *rootmnt; + struct dentry *root; + + our_dentry = (struct dentry *)dentry; + our_mount = (struct vfsmount *)vfsmnt; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + + spin_lock(&dcache_lock); + res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen); + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + return res; +} + +char *gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return d_real_path(dentry, mnt, gr_shared_page[smp_processor_id()], PAGE_SIZE); +} + +__inline__ __u32 to_gr_audit(const __u32 reqmode) +{ + __u32 retmode = 0; + + retmode |= (reqmode & GR_READ) ? GR_AUDIT_READ : 0; + retmode |= (reqmode & GR_WRITE) ? GR_AUDIT_WRITE | GR_AUDIT_APPEND : 0; + retmode |= (reqmode & GR_APPEND) ? GR_AUDIT_APPEND : 0; + retmode |= (reqmode & GR_EXEC) ? GR_AUDIT_EXEC : 0; + retmode |= (reqmode & GR_INHERIT) ? GR_AUDIT_INHERIT : 0; + retmode |= (reqmode & GR_PTRACERD) ? GR_AUDIT_PTRACERD : 0; + retmode |= (reqmode & GR_FIND) ? GR_AUDIT_FIND : 0; + + return retmode; +} + +__inline__ struct acl_subject_label * +lookup_acl_subj_label(const ino_t ino, const kdev_t dev) +{ + unsigned long index = fhash(ino, dev, acl_subj_set.s_size); + struct acl_subject_label *match; + __u8 i = 0; + + match = acl_subj_set.s_hash[index]; + + while (match && (match->inode != ino || match->device != dev)) { + index = (index + (1 << i)) % acl_subj_set.s_size; + match = acl_subj_set.s_hash[index]; + i = (i + 1) % 32; + } + + if (unlikely(match && (match != deleted_subject) && + (match->inode == ino) && (match->device == dev))) + return match; + else + return NULL; +} + +static __inline__ struct acl_object_label * +lookup_acl_obj_label(const ino_t ino, const kdev_t dev, + const struct acl_subject_label *subj) +{ + unsigned long obj_size = subj->obj_hash_size; + struct acl_object_label **o_hash = subj->obj_hash; + unsigned long index = fhash(ino, dev, obj_size); + struct acl_object_label *match; + __u8 i = 0; + + match = o_hash[index]; + + while (match && (match->inode != ino || match->device != dev)) { + index = (index + (1 << i)) % obj_size; + match = o_hash[index]; + i = (i + 1) % 32; + } + + if (unlikely(match && (match != deleted_object) && + (match->inode == ino) && (match->device == dev))) + return match; + else + return NULL; +} + +static __inline__ struct name_entry * +lookup_name_entry(const char *name) +{ + unsigned long index = nhash(name, name_set.n_size); + struct name_entry *match; + __u8 i = 0; + + match = name_set.n_hash[index]; + + while (match && (strcmp(match->name, name)) != 0) { + index = (index + (1 << i)) % name_set.n_size; + match = name_set.n_hash[index]; + i = (i + 1) % 32; + } + + if (unlikely(match && !strcmp(name, match->name))) + return match; + else + return NULL; +} + + +static __inline__ struct name_entry * +lookup_inodev_entry(const ino_t ino, const kdev_t dev) +{ + unsigned long index = fhash(ino, dev, inodev_set.n_size); + struct name_entry *match; + __u8 i = 0; + + match = inodev_set.n_hash[index]; + + while (match && (match->inode != ino || match->device != dev)) { + index = (index + (1 << i)) % inodev_set.n_size; + match = inodev_set.n_hash[index]; + i = (i + 1) % 32; + } + + if (unlikely(match && (match != deleted_inodev) && + (match->inode == ino) && (match->device == dev))) + return match; + else + return NULL; +} + +/* The following routines perform insertion into the tables after + * the add_{type} process the config file */ + +static void +insert_inodev_entry(struct name_entry *nentry) +{ + unsigned long index = fhash(nentry->inode, nentry->device, + inodev_set.n_size); + struct name_entry **curr; + __u8 i = 0; + + curr = &inodev_set.n_hash[index]; + + while (*curr && *curr != deleted_inodev) { + index = (index + (1 << i)) % inodev_set.n_size; + curr = &inodev_set.n_hash[index]; + i = (i + 1) % 32; + } + + *curr = nentry; + + return; +} + +static int +insert_name_entry(char *name, const ino_t inode, const kdev_t device) +{ + unsigned long index = nhash(name, name_set.n_size); + struct name_entry **curr; + __u8 i = 0; + + curr = &name_set.n_hash[index]; + + while (*curr && strcmp(name, (*curr)->name)) { + index = (index + (1 << i)) % name_set.n_size; + curr = &name_set.n_hash[index]; + i = (i + 1) % 32; + } + + if (!(*curr)) { + struct name_entry *nentry = acl_alloc(sizeof(struct name_entry)); + if (!nentry) + return 0; + nentry->name = name; + nentry->inode = inode; + nentry->device = device; + *curr = nentry; + /* insert us into the table searchable by inode/dev */ + insert_inodev_entry(nentry); + } + + return 1; +} + +static void +insert_acl_obj_label(struct acl_object_label *obj, struct acl_subject_label *subj) +{ + unsigned long index = fhash(obj->inode, obj->device, subj->obj_hash_size); + struct acl_object_label **curr; + __u8 i = 0; + + curr = &subj->obj_hash[index]; + + while (*curr && *curr != deleted_object) { + index = (index + (1 << i)) % subj->obj_hash_size; + curr = &subj->obj_hash[index]; + i = (i + 1) % 32; + } + + *curr = obj; + + return; +} + +static void +insert_acl_subj_label(struct acl_subject_label *obj) +{ + unsigned long index = fhash(obj->inode, obj->device, acl_subj_set.s_size); + struct acl_subject_label **curr; + __u8 i = 0; + + curr = &acl_subj_set.s_hash[index]; + + while (*curr && *curr != deleted_subject) { + index = (index + (1 << i)) % acl_subj_set.s_size; + curr = &acl_subj_set.s_hash[index]; + i = (i + 1) % 32; + } + + *curr = obj; + + return; +} + +/* Create a table(requesting size close to 2^pwr entrie of member size) + * and replace the current table size with the new one. + * We use prime table sizes until we reach the bounds of 32-bit word machines + * Once we reach there we simply double the table size */ + +static void ** +create_table(__u32 *len) +{ + unsigned long table_sizes[] = { + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381, + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143, + 4194301, 8388593, 16777213, 33554393, 67108859, 134217689, + 268435399, 536870909, 1073741789, 2147483647 + }; + void * newtable = NULL; + unsigned int pwr = 0; + + while ((pwr < ((sizeof(table_sizes)/sizeof(table_sizes[0])) - 1)) && + table_sizes[pwr] <= (2 * (*len))) + pwr++; + + if(table_sizes[pwr] <= (2 * (*len))) + return newtable; + + if((table_sizes[pwr] * sizeof(void *)) <= PAGE_SIZE) + newtable = kmalloc(table_sizes[pwr] * sizeof(void *), GFP_KERNEL); + else + newtable = vmalloc(table_sizes[pwr] * sizeof(void *)); + + *len = table_sizes[pwr]; + + return newtable; +} + +static int +init_variables(const unsigned long acl_obj_size, const unsigned long acl_subj_size, + const unsigned long acl_ip_size) +{ + unsigned long stacksize; + + acl_subj_set.s_size = acl_subj_size; + name_set.n_size = (acl_obj_size + acl_subj_size); + inodev_set.n_size = (acl_obj_size + acl_subj_size); + + if(!gr_init_uidset()) return 1; + + /* set up the stack that holds allocation info */ + + stacksize = (3 * acl_obj_size) + (4 * acl_subj_size) + acl_ip_size + 3; + + if (!acl_alloc_stack_init(stacksize)) + return 1; + + /* create our empty, fake deleted acls */ + deleted_subject = (struct acl_subject_label *)acl_alloc(sizeof(struct acl_subject_label)); + deleted_object = (struct acl_object_label *)acl_alloc(sizeof(struct acl_object_label)); + deleted_inodev = (struct name_entry *)acl_alloc(sizeof(struct name_entry)); + + if (!deleted_subject || !deleted_object || !deleted_inodev) + return 1; + + memset(deleted_subject, 0, sizeof(struct acl_subject_label)); + memset(deleted_object, 0, sizeof(struct acl_object_label)); + memset(deleted_inodev, 0, sizeof(struct name_entry)); + + /* We only want 50% full tables for now */ + + acl_subj_set.s_hash = (struct acl_subject_label **)create_table(&acl_subj_set.s_size); + name_set.n_hash = (struct name_entry **)create_table(&name_set.n_size); + inodev_set.n_hash = (struct name_entry **)create_table(&inodev_set.n_size); + + if (!acl_subj_set.s_hash || !name_set.n_hash || !inodev_set.n_hash) + return 1; + memset(acl_subj_set.s_hash, 0, + sizeof (struct acl_subject_label *) * acl_subj_set.s_size); + memset(name_set.n_hash, 0, + sizeof (struct name_entry *) * name_set.n_size); + memset(inodev_set.n_hash, 0, + sizeof (struct name_entry *) * inodev_set.n_size); + + return 0; +} + +static void +free_variables(void) +{ + struct acl_subject_label *s; + struct task_struct * task; + + read_lock(&tasklist_lock); + for_each_task(task) { + task->acl_admin = 0; + task->acl = NULL; + } + read_unlock(&tasklist_lock); + + /* free all object hash tables */ + + if (subj_list_head) { + for(s = subj_list_head; s; s = s->next) { + if (!s->obj_hash) + break; + if((s->obj_hash_size * sizeof(struct acl_object_label *)) <= PAGE_SIZE) + kfree(s->obj_hash); + else + vfree(s->obj_hash); + } + } + + acl_free_all(); + + if(acl_subj_set.s_hash) { + if((acl_subj_set.s_size * sizeof(struct acl_subject_label *)) <= PAGE_SIZE) + kfree(acl_subj_set.s_hash); + else + vfree(acl_subj_set.s_hash); + } + if(name_set.n_hash) { + if((name_set.n_size * sizeof(struct name_entry *)) <= PAGE_SIZE) + kfree(name_set.n_hash); + else + vfree(name_set.n_hash); + } + + if(inodev_set.n_hash) { + if((inodev_set.n_size * sizeof(struct name_entry *)) <= PAGE_SIZE) + kfree(inodev_set.n_hash); + else + vfree(inodev_set.n_hash); + } + + gr_free_uidset(); + + memset(&name_set, 0, sizeof(struct name_db)); + memset(&inodev_set, 0, sizeof(struct name_db)); + memset(&acl_subj_set, 0, sizeof(struct acl_subject_db)); + + kernel_label = NULL; + god_label = NULL; + root_label = NULL; + subj_list_head = NULL; + + return; +} + +static __u32 +count_user_objs(struct acl_object_label *userp) +{ + struct acl_object_label o_tmp; + __u32 num = 0; + + while (userp) { + if (copy_from_user(&o_tmp, userp, + sizeof (struct acl_object_label))) + break; + + userp = o_tmp.prev; + num++; + } + + return num; +} + +static int +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj) +{ + struct acl_object_label *o_tmp; + unsigned int len; + char *tmp; + + while (userp) { + if ((o_tmp = (struct acl_object_label *) + acl_alloc(sizeof (struct acl_object_label))) == NULL) + return -ENOMEM; + + if (copy_from_user(o_tmp, userp, + sizeof (struct acl_object_label))) + return -EFAULT; + + userp = o_tmp->prev; + + len = strnlen_user(o_tmp->filename, PATH_MAX); + + if (!len || len >= PATH_MAX) + return -EINVAL; + + if ((tmp = (char *)acl_alloc(len)) == NULL) + return -ENOMEM; + + if (copy_from_user(tmp, o_tmp->filename, len)) + return -EFAULT; + + o_tmp->filename = tmp; + + insert_acl_obj_label(o_tmp, subj); + if(!insert_name_entry(o_tmp->filename, o_tmp->inode, + o_tmp->device)) + return -ENOMEM; + } + + return 0; +} + +static int +copy_user_acl(struct gr_arg *arg) +{ + struct acl_subject_label *s_tmp = NULL, **s_utmp, *s_utmp2, *s_last; + struct acl_ip_label **i_tmp, *i_utmp2; + unsigned long s_num, i_num; + char *tmp; + int err = 0; + unsigned int len; + __u32 num_objs; + + s_utmp = (struct acl_subject_label **)arg->subj_db.s_table; + + for(s_num = 0;s_num < arg->subj_db.s_entries;s_num++) { + s_last = s_tmp; + if ((s_tmp = acl_alloc(sizeof (struct acl_subject_label))) == NULL) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(&s_utmp2, s_utmp + s_num, + sizeof (struct acl_subject_label *))) { + err = -EFAULT; + goto cleanup; + } + if (copy_from_user(s_tmp, s_utmp2, + sizeof (struct acl_subject_label))) { + err = -EFAULT; + goto cleanup; + } + + /* set up subject pointers */ + + if (!s_last) { + s_tmp->prev = NULL; + subj_list_head = s_tmp; + } else { + s_last->next = s_tmp; + s_tmp->prev = s_last; + } + + if (s_num == (arg->subj_db.s_entries - 1)) + s_tmp->next = NULL; + + len = strnlen_user(s_tmp->filename, PATH_MAX); + + if (!len || len >= PATH_MAX) { + err = -EINVAL; + goto cleanup; + } + + if ((tmp = (char *)acl_alloc(len)) == NULL) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(tmp, s_tmp->filename, len)) { + err = -EFAULT; + goto cleanup; + } + s_tmp->filename = tmp; + + /* set up object hash table */ + num_objs = count_user_objs(s_tmp->proc_object); + + s_tmp->obj_hash_size = num_objs; + s_tmp->obj_hash = (struct acl_object_label **)create_table(&(s_tmp->obj_hash_size)); + + if (!s_tmp->obj_hash) { + err = -ENOMEM; + goto cleanup; + } + memset(s_tmp->obj_hash, 0, s_tmp->obj_hash_size * sizeof(struct acl_object_label *)); + + /* add in objects */ + err = copy_user_objs(s_tmp->proc_object, s_tmp); + + if (err) + goto cleanup; + + if (!(strcmp(s_tmp->filename, "god"))) + god_label = s_tmp; + if (!(strcmp(s_tmp->filename, "kernel"))) + kernel_label = s_tmp; + else if (!(strcmp(s_tmp->filename, "/"))) + root_label = s_tmp; + + /* add in ip acls */ + + if(!s_tmp->ip_num) { + s_tmp->ips = NULL; + goto insert; + } + + if ((i_tmp = (struct acl_ip_label **) acl_alloc(s_tmp->ip_num * sizeof (struct acl_ip_label *))) == NULL) { + err = -ENOMEM; + goto cleanup; + } + + for(i_num = 0; i_num < s_tmp->ip_num; i_num++) { + if ((*(i_tmp + i_num) = (struct acl_ip_label *) acl_alloc(sizeof(struct acl_ip_label))) == NULL) { + err = -ENOMEM; + goto cleanup; + } + if (copy_from_user(&i_utmp2, s_tmp->ips + i_num, sizeof(struct acl_ip_label *))) { + err = -EFAULT; + goto cleanup; + } + if (copy_from_user(*(i_tmp + i_num), i_utmp2, sizeof(struct acl_ip_label))) { + err = -EFAULT; + goto cleanup; + } + } + + s_tmp->ips = i_tmp; + +insert: + insert_acl_subj_label(s_tmp); + if(!insert_name_entry(s_tmp->filename, s_tmp->inode, + s_tmp->device)) { + err = -ENOMEM; + goto cleanup; + } + } + + goto return_err; +cleanup: + free_variables(); +return_err: + return err; + +} + +static int +gracl_init(struct gr_arg *args) +{ + int error = 0; + + memcpy(pwent.salt, args->salt, sizeof(pwent.salt)); + memcpy(pwent.sum, args->sum, sizeof(pwent.sum)); + + if (args->subj_db.s_entries < 3) + return -EINVAL; + + if (init_variables(args->subj_db.o_entries, args->subj_db.s_entries, + args->subj_db.i_entries)) { + security_alert_good(GR_INITF_ACL_MSG, GR_INITF_ACL_FLD, GR_VERSION); + error = -1; + free_variables(); + } + + error = copy_user_acl(args); + if(error) { + free_variables(); + goto out; + } + + if((error = gr_set_acls(0))) { + free_variables(); + goto out; + } + + gr_status |= GR_READY; +out: + return error; +} + +/* * * * * * * * * * * * * * * * * * * * * * * + * Begin Misc Section + * * * * * * * * * * * * * * * * * * * * * * */ + +static __u32 +chk_obj_label(const struct dentry * l_dentry, const struct vfsmount * l_mnt, + const __u32 reqmode, const struct acl_subject_label *subj) +{ + struct dentry * dentry = (struct dentry *)l_dentry; + struct vfsmount * mnt = (struct vfsmount *)l_mnt; + struct dentry *root; + struct vfsmount *rootmnt; + struct acl_object_label *retval; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + spin_lock(&dcache_lock); + + for (;;) { + if (unlikely(dentry == root && mnt == rootmnt)) + break; + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) { + if (mnt->mnt_parent == mnt) + break; + + read_lock(&gr_inode_lock); + retval = lookup_acl_obj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev, subj); + read_unlock(&gr_inode_lock); + if (unlikely(retval && !(retval->mode & GR_DELETED))) + goto out; + + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + + read_lock(&gr_inode_lock); + retval = lookup_acl_obj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev, subj); + read_unlock(&gr_inode_lock); + if (unlikely(retval && !(retval->mode & GR_DELETED))) + goto out; + + dentry = dentry->d_parent; + } + + read_lock(&gr_inode_lock); + retval = lookup_acl_obj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev, subj); + read_unlock(&gr_inode_lock); + + if (unlikely(!retval || (retval->mode & GR_DELETED))) { + read_lock(&gr_inode_lock); + retval = lookup_acl_obj_label(root->d_inode->i_ino, root->d_inode->i_dev, subj); + read_unlock(&gr_inode_lock); + } +out: + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + + return (retval->mode & reqmode); +} + +static struct acl_subject_label * +chk_subj_label(const struct dentry * l_dentry, const struct vfsmount * l_mnt) +{ + struct dentry * dentry = (struct dentry *)l_dentry; + struct vfsmount * mnt = (struct vfsmount *)l_mnt; + struct dentry *root; + struct vfsmount *rootmnt; + struct acl_subject_label *retval; + + read_lock(&child_reaper->fs->lock); + rootmnt = mntget(child_reaper->fs->rootmnt); + root = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + spin_lock(&dcache_lock); + + for (;;) { + if (unlikely(dentry == root && mnt == rootmnt)) + break; + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) { + if (mnt->mnt_parent == mnt) + break; + + read_lock(&gr_inode_lock); + retval = lookup_acl_subj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev); + read_unlock(&gr_inode_lock); + if (unlikely(retval && !(retval->mode & GR_DELETED))) + goto out; + + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + + read_lock(&gr_inode_lock); + retval = lookup_acl_subj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev); + read_unlock(&gr_inode_lock); + if (unlikely(retval && !(retval->mode & GR_DELETED))) + goto out; + + dentry = dentry->d_parent; + } + + read_lock(&gr_inode_lock); + retval = lookup_acl_subj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev); + read_unlock(&gr_inode_lock); + + if (unlikely(!retval || (retval->mode & GR_DELETED))) { + read_lock(&gr_inode_lock); + retval = lookup_acl_subj_label(root->d_inode->i_ino, root->d_inode->i_dev); + read_unlock(&gr_inode_lock); + } +out: + spin_unlock(&dcache_lock); + dput(root); + mntput(rootmnt); + + return retval; +} + +static __inline__ void +gr_log_learn(const struct acl_subject_label *curracl, const struct dentry *dentry, + const struct vfsmount *mnt, const char *pathname, const __u32 mode) +{ + security_learn(GR_LEARN_AUDIT_MSG, curracl->device, (unsigned long)curracl->inode, + dentry->d_inode ? (unsigned long)dentry->d_inode->i_dev : 0UL, + dentry->d_inode ? (unsigned long)dentry->d_inode->i_ino : 0UL, + pathname, (unsigned long)mode); + + return; +} + +__u32 +gr_search_file(const struct dentry *dentry, const __u32 mode, const struct vfsmount *mnt) +{ + __u32 retval = mode; + struct acl_subject_label * curracl; + + if (unlikely(!(gr_status & GR_READY))) return (mode & ~GR_AUDITS); + + curracl = current->acl; + + retval = chk_obj_label(dentry, mnt, mode, curracl); + + if (unlikely((curracl->mode & GR_LEARN) && (retval != mode))) { + __u32 new_mode = mode; + + new_mode &= ~GR_AUDITS; + + retval = new_mode; + + gr_log_learn(curracl, dentry, mnt, gr_to_filename(dentry, mnt), new_mode); + } + + return retval; +} + +__u32 +gr_check_create(const struct dentry *new_dentry, const struct dentry *parent, + const struct vfsmount *mnt, const __u32 mode) +{ + struct name_entry *match; + struct acl_object_label *matchpo; + struct acl_subject_label *curracl; + __u32 retval; + + if (unlikely(!(gr_status & GR_READY))) + return (mode &~ GR_AUDITS); + + match = lookup_name_entry(gr_to_filename(new_dentry, mnt)); + + if (!match) + goto check_parent; + + curracl = current->acl; + + read_lock(&gr_inode_lock); + matchpo = lookup_acl_obj_label(match->inode, match->device, curracl); + read_unlock(&gr_inode_lock); + + if (matchpo) { + if ((matchpo->mode & mode) != mode && curracl->mode & GR_LEARN) { + __u32 new_mode = mode; + + new_mode &= ~GR_AUDITS; + + gr_log_learn(curracl, new_dentry, mnt, gr_to_filename(new_dentry, mnt), new_mode); + + return new_mode; + } + return (matchpo->mode & mode); + } + +check_parent: + curracl = current->acl; + + retval = chk_obj_label(parent, mnt, mode, curracl); + + if((retval != mode) && (curracl->mode & GR_LEARN)) { + __u32 new_mode = mode; + + new_mode &= ~GR_AUDITS; + + gr_log_learn(curracl, new_dentry, mnt, gr_to_filename(new_dentry, mnt), new_mode); + return new_mode; + } + + return retval; +} + +int +gr_check_hidden_task(const struct task_struct *task) +{ + if (unlikely(!(gr_status & GR_READY))) + return 0; + + if (!(task->acl->mode & GR_FIND) && + !(current->acl->mode & GR_VIEW)) + return 1; + + return 0; +} + +int +gr_check_protected_task(const struct task_struct *task) +{ + if (unlikely(!(gr_status & GR_READY) || !task)) + return 0; + + if ((task->acl->mode & GR_PROTECTED) && + !(current->acl->mode & GR_KILL)) + return 1; + + return 0; +} + +__inline__ void gr_copy_label(struct task_struct *tsk) +{ + /* We don't need to lock task...because task is being created + * in do_fork() so it can't be modified anywhere else as it has + * yet to be a true process. see kernel/fork.c */ + + tsk->used_accept = 0; + tsk->used_connect = 0; + tsk->acl_admin = 0; + tsk->acl = current->acl; + tsk->curr_ip = current->curr_ip; + if (unlikely(current->used_accept)) + current->curr_ip = 0; + + return; +} + +static __inline__ void gr_set_proc_res(void) +{ + struct acl_subject_label * proc; + unsigned short i; + + proc = current->acl; + + if (proc->mode & GR_LEARN) + return; + + for (i = 0; i < RLIM_NLIMITS; i++) { + if (!(proc->resmask & (1 << i))) + continue; + + current->rlim[i].rlim_cur = proc->res[i].rlim_cur; + current->rlim[i].rlim_max = proc->res[i].rlim_max; + } + + return; +} + +void gr_set_pax_flags(struct task_struct *task) +{ + struct acl_subject_label * proc; + + if (unlikely(!(gr_status & GR_READY))) + return; + + proc = task->acl; + + if (proc->mode & GR_PAXPAGE) + task->flags &= ~PF_PAX_PAGEEXEC; + if (proc->mode & GR_PAXSEGM) + task->flags &= ~PF_PAX_SEGMEXEC; + if (proc->mode & GR_PAXGCC) + task->flags |= PF_PAX_EMUTRAMP; + if (proc->mode & GR_PAXMPROTECT) + task->flags &= ~PF_PAX_MPROTECT; + if (proc->mode & GR_PAXRANDMMAP) + task->flags &= ~PF_PAX_RANDMMAP; + if (proc->mode & GR_PAXRANDEXEC) + task->flags |= PF_PAX_RANDEXEC; + + return; +} + +void +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt) +{ + struct acl_subject_label *newacl; + __u32 retmode; + + if (unlikely(!(gr_status & GR_READY))) + return; + + newacl = chk_subj_label(dentry, mnt); + + retmode = chk_obj_label(dentry, mnt, GR_INHERIT | GR_AUDIT_INHERIT, current->acl); + + if ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT)) + current->acl = newacl; + else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT) + security_audit(GR_INHERIT_ACL_MSG, current->acl->filename, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + + gr_set_proc_res(); + + return; +} + +static __inline__ void +do_handle_delete(const ino_t ino, const kdev_t dev) +{ + struct acl_object_label *matchpo; + struct acl_subject_label *matchps; + struct acl_subject_label *i; + + for (i = subj_list_head; i; i = i->next) { + if ((matchpo = lookup_acl_obj_label(ino, dev, i)) != NULL) + matchpo->mode |= GR_DELETED; + } + + if ((matchps = lookup_acl_subj_label(ino, dev)) != NULL) + matchps->mode |= GR_DELETED; + + return; +} + +void +gr_handle_delete(const ino_t ino, const kdev_t dev) +{ + if (unlikely(!(gr_status & GR_READY))) return; + + write_lock(&gr_inode_lock); + if (lookup_inodev_entry(ino, dev)) + do_handle_delete(ino, dev); + write_unlock(&gr_inode_lock); + + return; +} + +static __inline__ void +update_acl_obj_label(const ino_t oldinode, const kdev_t olddevice, const ino_t newinode, + const kdev_t newdevice, struct acl_subject_label *subj) +{ + unsigned long index = fhash(oldinode, olddevice, subj->obj_hash_size); + struct acl_object_label **match; + struct acl_object_label *tmp; + __u8 i = 0; + + match = &subj->obj_hash[index]; + + while (*match && ((*match)->inode != oldinode || (*match)->device != olddevice)) { + index = (index + (1 << i)) % subj->obj_hash_size; + match = &subj->obj_hash[index]; + i = (i + 1) % 32; + } + + if (*match && ((*match) != deleted_object) && ((*match)->inode == oldinode) && + ((*match)->device == olddevice)) { + tmp = *match; + tmp->inode = newinode; + tmp->device = newdevice; + tmp->mode &= ~GR_DELETED; + + *match = deleted_object; + + insert_acl_obj_label(tmp, subj); + } + + return; +} + +static __inline__ void +update_acl_subj_label(const ino_t oldinode, const kdev_t olddevice, const ino_t newinode, + const kdev_t newdevice) +{ + unsigned long index = fhash(oldinode, olddevice, acl_subj_set.s_size); + struct acl_subject_label **match; + struct acl_subject_label *tmp; + __u8 i = 0; + + match = &acl_subj_set.s_hash[index]; + + while (*match && ((*match)->inode != oldinode || (*match)->device != olddevice)) { + index = (index + (1 << i)) % acl_subj_set.s_size; + i = (i + 1) % 32; + match = &acl_subj_set.s_hash[index]; + } + + if (*match && (*match != deleted_subject) && ((*match)->inode == oldinode) && + ((*match)->device == olddevice)) { + tmp = *match; + + tmp->inode = newinode; + tmp->device = newdevice; + tmp->mode &= ~GR_DELETED; + + *match = deleted_subject; + + insert_acl_subj_label(tmp); + } + + return; +} + +static __inline__ void +update_inodev_entry(const ino_t oldinode, const kdev_t olddevice, const ino_t newinode, + const kdev_t newdevice) +{ + unsigned long index = fhash(oldinode, olddevice, inodev_set.n_size); + struct name_entry **match; + struct name_entry *tmp; + __u8 i = 0; + + match = &inodev_set.n_hash[index]; + + while (*match && ((*match)->inode != oldinode || (*match)->device != olddevice)) { + index = (index + (1 << i)) % inodev_set.n_size; + i = (i + 1) % 32; + match = &inodev_set.n_hash[index]; + } + + if (*match && (*match != deleted_inodev) && ((*match)->inode == oldinode) && + ((*match)->device == olddevice)) { + tmp = *match; + + tmp->inode = newinode; + tmp->device = newdevice; + + *match = deleted_inodev; + + insert_inodev_entry(tmp); + } + + return; +} + +static __inline__ void +do_handle_create(const struct name_entry *matchn, const struct dentry * dentry, + const struct vfsmount * mnt) +{ + struct acl_subject_label *i; + + update_acl_subj_label(matchn->inode, matchn->device, + dentry->d_inode->i_ino, + dentry->d_inode->i_dev); + + for (i = subj_list_head; i; i = i->next) { + update_acl_obj_label(matchn->inode, matchn->device, + dentry->d_inode->i_ino, + dentry->d_inode->i_dev, i); + } + + update_inodev_entry(matchn->inode, matchn->device, dentry->d_inode->i_ino, + dentry->d_inode->i_dev); + + return; +} + +void +gr_handle_create(const struct dentry * dentry, const struct vfsmount * mnt) +{ + struct name_entry *matchn; + + if (unlikely(!(gr_status & GR_READY))) return; + + matchn = lookup_name_entry(gr_to_filename(dentry, mnt)); + + if (matchn) { + write_lock(&gr_inode_lock); + do_handle_create(matchn, dentry, mnt); + write_unlock(&gr_inode_lock); + } + + return; +} + +int +gr_handle_rename(struct inode * old_dir, struct inode * new_dir, + struct dentry * old_dentry, + struct dentry * new_dentry, + struct vfsmount * mnt, const __u8 replace) +{ + struct name_entry *matchn; + int error = 0; + + matchn = lookup_name_entry(gr_to_filename(new_dentry, mnt)); + + lock_kernel(); + error = vfs_rename(old_dir, old_dentry, new_dir, new_dentry); + unlock_kernel(); + + if(error) + return error; + + /* we wouldn't have to check d_inode if it weren't for + NFS silly-renaming + */ + + write_lock(&gr_inode_lock); + if (unlikely(replace && new_dentry->d_inode)) { + if (lookup_inodev_entry(new_dentry->d_inode->i_ino, + new_dentry->d_inode->i_dev)) + do_handle_delete(new_dentry->d_inode->i_ino, + new_dentry->d_inode->i_dev); + } + + if (lookup_inodev_entry(old_dentry->d_inode->i_ino, + old_dentry->d_inode->i_dev)) + do_handle_delete(old_dentry->d_inode->i_ino, + old_dentry->d_inode->i_dev); + + if (matchn) + do_handle_create(matchn, old_dentry, mnt); + write_unlock(&gr_inode_lock); + + return error; +} + +/* The following variables are needed for timer manipulation */ +static struct timer_list gr_badpw; +static int failures = 0; +static int during_wait = 0; + +static void +gr_timer(unsigned long ignored) +{ + failures = 0; + during_wait = 0; + del_timer(&gr_badpw); + + return; +} + +int +gr_proc_handler(ctl_table * table, int write, struct file *filp, void *buffer, + size_t * lenp) +{ + struct gr_arg *arg; + struct gr_arg usermode; + int error = sizeof (struct gr_arg); + + if (!write) return -EPERM; + + spin_lock(&gr_proc_lock); + + arg = (struct gr_arg *) buffer; + + if (*lenp != sizeof (struct gr_arg)) { + security_alert_good(GR_PROC_ACL_MSG, GR_PROC_ACL_FLD, + (int) *lenp, (int) sizeof (struct gr_arg)); + error = -EINVAL; + goto out; + } + if (during_wait) { + error = -EPERM; + goto out; + } + + if (copy_from_user(&usermode, arg, sizeof (struct gr_arg))) { + error = -EFAULT; + goto out; + } + + /* ensure pw is null terminated */ + + usermode.pw[GR_PW_LEN - 1] = '\0'; + + /* Okay. + * We have our enough of the argument structure..(we have yet + * to copy_from_user the tables themselves) . Copy the tables + * only if we need them, i.e. for loading operations. */ + + switch (usermode.mode) { + case SHUTDOWN: + if ((gr_status & GR_READY) && !(chkpw(&usermode,&pwent))) { + gr_status &= ~GR_READY; + security_alert_good(GR_SHUTS_ACL_MSG, GR_SHUTS_ACL_FLD, + DEFAULTSECARGS); + free_variables(); + memset(&usermode, 0, sizeof(struct gr_arg)); + memset(&pwent, 0, sizeof(struct admin_pw)); + } else if(gr_status & GR_READY) { + security_alert(GR_SHUTF_ACL_MSG, GR_SHUTF_ACL_FLD, + DEFAULTSECARGS); + error = -EPERM; + } else + security_alert_good(GR_SHUTI_ACL_MSG, GR_SHUTI_ACL_FLD, + DEFAULTSECARGS); + break; + case ENABLE: + if (!(gr_status & GR_READY) && + !gracl_init(&usermode)) + security_alert_good(GR_ENABLE_ACL_MSG, GR_ENABLE_ACL_FLD, + GR_VERSION); + else + security_alert(GR_ENABLEF_ACL_MSG, GR_ENABLEF_ACL_FLD, + GR_VERSION, DEFAULTSECARGS); + break; + case RELOAD: + if (!(gr_status & GR_READY)) + security_alert_good(GR_RELOADI_ACL_MSG, GR_RELOADI_ACL_FLD); + else if (!(chkpw(&usermode, &pwent))) { + gr_status &= ~GR_READY; + free_variables(); + if(!gracl_init(&usermode)) + security_alert_good(GR_RELOAD_ACL_MSG, + GR_RELOAD_ACL_FLD, GR_VERSION); + else + security_alert(GR_RELOADF_ACL_MSG, + GR_RELOADF_ACL_FLD, GR_VERSION, + DEFAULTSECARGS); + } else { + security_alert(GR_RELOADF_ACL_MSG, + GR_RELOADF_ACL_FLD, GR_VERSION, + DEFAULTSECARGS); + error = -EPERM; + } + break; + case SEGVMOD: + if (unlikely(!(gr_status & GR_READY))) { + security_alert_good(GR_SEGVMODI_ACL_MSG, GR_SEGVMODI_ACL_FLD, + DEFAULTSECARGS); + break; + } + + if (!(chkpw(&usermode, &pwent))) { + security_alert_good(GR_SEGVMODS_ACL_MSG, GR_SEGVMODS_ACL_FLD, + DEFAULTSECARGS); + if(usermode.segv_device && usermode.segv_inode) { + struct acl_subject_label * segvacl; + segvacl = lookup_acl_subj_label(usermode.segv_inode, usermode.segv_device); + if(segvacl) { + segvacl->crashes = 0; + segvacl->expires = 0; + } + } else if (gr_find_uid(usermode.segv_uid) >= 0) { + gr_remove_uid(usermode.segv_uid); + } + } else { + security_alert(GR_SEGVMODF_ACL_MSG, GR_SEGVMODF_ACL_FLD, + DEFAULTSECARGS); + error = -EPERM; + } + break; + case GOD: + if (unlikely(!(gr_status & GR_READY))) { + security_alert_good(GR_ADMINI_ACL_MSG, GR_ADMINI_ACL_FLD, + DEFAULTSECARGS); + break; + } + + if (!(chkpw(&usermode, &pwent))) { + security_alert_good(GR_ADMINS_ACL_MSG, GR_ADMINS_ACL_FLD, + DEFAULTSECARGS); + read_lock(&tasklist_lock); + if (current->p_pptr) { + current->p_pptr->acl = (struct acl_subject_label *) god_label; + current->p_pptr->acl_admin = 1; + } + read_unlock(&tasklist_lock); + } else { + security_alert(GR_ADMINF_ACL_MSG, GR_ADMINF_ACL_FLD, + DEFAULTSECARGS); + error = -EPERM; + } + + break; + default: + security_alert(GR_INVMODE_ACL_MSG, GR_INVMODE_ACL_FLD, + usermode.mode, DEFAULTSECARGS); + break; + } + + if (error != -EPERM) + goto out; + + failures++; + + if (failures > CONFIG_GRKERNSEC_ACL_MAXTRIES) { + security_alert(GR_MAXPW_ACL_MSG, GR_MAXPW_ACL_FLD, + CONFIG_GRKERNSEC_ACL_MAXTRIES); + init_timer(&gr_badpw); + gr_badpw.data = 0; + gr_badpw.function = gr_timer; + gr_badpw.expires = jiffies + CONFIG_GRKERNSEC_ACL_TIMEOUT * HZ; + add_timer(&gr_badpw); + during_wait = 1; + } + + +out: + spin_unlock(&gr_proc_lock); + return error; +} + + +static __inline__ struct file * gr_find_proc_file(struct task_struct * task) +{ + struct mm_struct * mm; + struct vm_area_struct * vma; + struct file * result = NULL; + + task_lock(task); + mm = task->mm; + if (mm) + atomic_inc(&mm->mm_users); + task_unlock(task); + if (!mm) + goto out; + down_read(&mm->mmap_sem); + + for(vma = mm->mmap; vma; vma = vma->vm_next) { + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { + result = vma->vm_file; + break; + } + } + up_read(&mm->mmap_sem); + mmput(mm); +out: + return result; +} + +int gr_set_acls(const int type) +{ + struct task_struct *task; + struct file * filp; + unsigned short i; + + read_lock(&tasklist_lock); + for_each_task(task) { + /* check to see if we're called from the exit handler, + if so, only replace ACLs that have inherited the admin + ACL */ + if (type && task->acl != god_label) continue; + + if ((filp = gr_find_proc_file(task))) { + task->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt); + if (task->acl) { + struct acl_subject_label *curr; + curr = task->acl; + + if(!(curr->mode & GR_LEARN)) + for(i = 0; i < RLIM_NLIMITS; i++) { + if(!(curr->resmask & (1 << i))) + continue; + + task->rlim[i].rlim_cur = curr->res[i].rlim_cur; + task->rlim[i].rlim_max = curr->res[i].rlim_max; + } + } else { + read_unlock(&tasklist_lock); + security_alert_good(GR_DEFACL_MSG, GR_DEFACL_FLD, + task->comm, task->pid); + return 1; + } + } else { + // it's a kernel process +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN + kernel_label->mode &= ~GR_FIND; +#endif + task->acl = kernel_label; + } + } + read_unlock(&tasklist_lock); + return 0; +} + +void gr_learn_resource(const struct task_struct * task, + const int res, const unsigned long wanted) +{ + struct acl_subject_label *acl; + + if (unlikely((gr_status & GR_READY) && + task->acl && (task->acl->mode & GR_LEARN))) + goto skip_reslog; + +#ifdef CONFIG_GRKERNSEC_RESLOG + gr_log_resource(task, res, wanted); +#endif +skip_reslog: + + if(unlikely(!(gr_status & GR_READY) || !wanted)) return; + + acl = task->acl; + + if(likely(!acl || !(acl->mode & GR_LEARN) || + !(acl->resmask & (1 << (unsigned short)res)))) + return; + + if (wanted >= acl->res[res].rlim_cur) + { + unsigned long res_add; + + res_add = wanted; + switch(res) { + case RLIMIT_CPU: res_add += GR_RLIM_CPU_BUMP; break; + case RLIMIT_FSIZE: res_add += GR_RLIM_FSIZE_BUMP; break; + case RLIMIT_DATA: res_add += GR_RLIM_DATA_BUMP; break; + case RLIMIT_STACK: res_add += GR_RLIM_STACK_BUMP; break; + case RLIMIT_CORE: res_add += GR_RLIM_CORE_BUMP; break; + case RLIMIT_RSS: res_add += GR_RLIM_RSS_BUMP; break; + case RLIMIT_NPROC: res_add += GR_RLIM_NPROC_BUMP; break; + case RLIMIT_NOFILE: res_add += GR_RLIM_NOFILE_BUMP; break; + case RLIMIT_MEMLOCK: res_add += GR_RLIM_MEMLOCK_BUMP; break; + case RLIMIT_AS: res_add += GR_RLIM_AS_BUMP; break; + case RLIMIT_LOCKS: res_add += GR_RLIM_LOCKS_BUMP; break; + } + + acl->res[res].rlim_cur = res_add; + + if (wanted > acl->res[res].rlim_max) + acl->res[res].rlim_max = res_add; + + security_learn(GR_LEARN_AUDIT_MSG, acl->device, + (unsigned long)acl->inode, acl->res[res].rlim_cur, + acl->res[res].rlim_max, "", (unsigned long)res); + } + + return; +} + +#ifdef CONFIG_SYSCTL +extern struct proc_dir_entry * proc_sys_root; + +__u32 gr_handle_sysctl(const struct ctl_table * table, const void *oldval, + const void *newval) +{ + struct proc_dir_entry * tmp; + struct nameidata nd; + const char * proc_sys = "/proc/sys"; + char *path = gr_shared_page[smp_processor_id()]; + unsigned short len = 0, pos = 0, depth = 0, i; + __u32 err = 0; + __u32 mode = 0; + + if (unlikely(!(gr_status & GR_READY))) return 1; + + if (oldval) + mode |= GR_READ; + if (newval) + mode |= GR_WRITE; + + /* convert the requested sysctl entry into a pathname */ + + for(tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) { + len += strlen(tmp->name); + len++; + depth++; + } + + if((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) + return 0; // deny + + memset(path, 0, PAGE_SIZE); + + memcpy(path, proc_sys, strlen(proc_sys)); + + pos += strlen(proc_sys); + + for(; depth > 0; depth--) { + path[pos] = '/'; + pos++; + for(i = 1, tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) { + if(depth == i) { + memcpy(path + pos, tmp->name, strlen(tmp->name)); + pos += strlen(tmp->name); + } + i++; + } + } + + if (path_init(path, LOOKUP_FOLLOW, &nd)) + err = path_walk(path, &nd); + + if(err) + goto out; + + err = chk_obj_label(nd.dentry, nd.mnt, mode | to_gr_audit(mode), current->acl); + + if (unlikely((current->acl->mode & GR_LEARN) && ((err & mode) != mode))) { + __u32 new_mode = mode; + + new_mode &= ~GR_AUDITS; + + err = new_mode; + gr_log_learn(current->acl, nd.dentry, nd.mnt, path, new_mode); + } else if ((err & mode) != mode) { + security_alert(GR_SYSCTL_ACL_MSG, GR_SYSCTL_ACL_FLD, "denied", + path, (mode & GR_READ) ? " reading" : "", + (mode & GR_WRITE) ? " writing" : "", + DEFAULTSECARGS); + } else if (((err & mode) == mode) && (err & GR_AUDITS)) { + security_audit(GR_SYSCTL_ACL_MSG, "successful", + path, (mode & GR_READ) ? " reading" : "", + (mode & GR_WRITE) ? " writing" : "", + DEFAULTSECARGS); + } + + path_release(&nd); + +out: + return err; +} +#endif + +int gr_handle_ptrace(struct task_struct * task, const long request) +{ + __u32 retmode; + struct file *filp; + + if(unlikely(!(gr_status & GR_READY))) return 0; + + filp = gr_find_proc_file(task); + + if (!filp) + return 0; + + retmode = gr_search_file(filp->f_dentry, GR_PTRACERD, + filp->f_vfsmnt); + + if (retmode & GR_PTRACERD) { + switch (request) { + case PTRACE_POKETEXT: + case PTRACE_POKEDATA: + case PTRACE_POKEUSR: +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) + case PTRACE_SETREGS: + case PTRACE_SETFPREGS: +#endif +#ifdef CONFIG_X86 + case PTRACE_SETFPXREGS: +#endif +#ifdef CONFIG_ALTIVEC + case PTRACE_SETVRREGS: +#endif + return 1; + default: + return 0; + } + } else if(!(current->acl->mode & GR_OVERRIDE) && + (current->acl != god_label) && (task->acl != current->acl)) { + security_alert(GR_PTRACE_ACL_MSG, GR_PTRACE_ACL_FLD, + gr_to_filename(filp->f_dentry, filp->f_vfsmnt), + task->comm, task->pid, DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ + __u32 retmode; + struct acl_subject_label *subj; + + if(unlikely(!(gr_status & GR_READY))) return 0; + + if (unlikely((current->ptrace & PT_PTRACED) && !(current->acl->mode & GR_OVERRIDE))) + retmode = gr_search_file(dentry, GR_PTRACERD, mnt); + else + return 0; + + subj = chk_subj_label(dentry, mnt); + + if (!(retmode & GR_PTRACERD) && (current->acl != god_label) && + (current->acl != subj)) { + security_alert(GR_PTRACE_EXEC_ACL_MSG, GR_PTRACE_EXEC_ACL_FLD, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int gr_handle_mmap(const struct file * filp, const unsigned long prot) +{ + struct file *exec_file; + + if(unlikely(!(gr_status & GR_READY) || + (current->acl->mode & GR_OVERRIDE) || !filp || + !(prot & PROT_EXEC))) return 0; + + exec_file = gr_find_proc_file(current); + + if (!exec_file) return 1; + + /* ignore processes that are writable by the default ACL */ + if (chk_obj_label(exec_file->f_dentry, exec_file->f_vfsmnt, GR_WRITE, root_label)) + return 0; + + if(chk_obj_label(filp->f_dentry, filp->f_vfsmnt, GR_WRITE, root_label)) { + security_alert(GR_WRITLIB_ACL_MSG, GR_WRITLIB_ACL_FLD, + gr_to_filename(filp->f_dentry, filp->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 0; +} + +int gr_acl_handle_mmap(const struct file *file, const unsigned long prot) +{ + __u32 mode; + + if (!file || !(prot & PROT_EXEC)) return 1; + + mode = gr_search_file(file->f_dentry, GR_EXEC | GR_AUDIT_EXEC, file->f_vfsmnt); + + if (!gr_tpe_allow(file) || !(mode & GR_EXEC)) { + security_alert(GR_MMAP_ACL_MSG, GR_MMAP_ACL_FLD, "denied", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } else if (mode & GR_EXEC && mode & GR_AUDIT_EXEC) { + security_audit(GR_MMAP_ACL_MSG, "successful", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 1; +} + +int gr_acl_handle_mprotect(const struct file *file, const unsigned long prot) +{ + __u32 mode; + + if (!file || !(prot & PROT_EXEC)) return 1; + + mode = gr_search_file(file->f_dentry, GR_EXEC | GR_AUDIT_EXEC, + file->f_vfsmnt); + + if (!gr_tpe_allow(file) || !(mode & GR_EXEC)) { + security_alert(GR_MPROTECT_ACL_MSG, GR_MPROTECT_ACL_FLD, "denied", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } else if (mode & GR_EXEC && mode & GR_AUDIT_EXEC) { + security_audit(GR_MPROTECT_ACL_MSG, "successful", + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 1; + } + + return 1; +} diff -urN linux-2.4.20/grsecurity/gracl_alloc.c linux-2.4.20/grsecurity/gracl_alloc.c --- linux-2.4.20/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_alloc.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,87 @@ +/* stack-based acl allocation tracking (c) Brad Spengler 2002,2003 */ + +#include +#include +#include +#include +#include +#include + +static unsigned long alloc_stack_next = 1; +static unsigned long alloc_stack_size = 1; +static void ** alloc_stack; + +static __inline__ int alloc_pop(void) +{ + if ((alloc_stack_next - 1) == 0) + return 0; + + kfree(*(alloc_stack + alloc_stack_next - 2)); + + alloc_stack_next--; + + return 1; +} + +static __inline__ void alloc_push(void *buf) +{ + if (alloc_stack_next >= alloc_stack_size) + BUG(); + + *(alloc_stack + alloc_stack_next - 1) = buf; + + alloc_stack_next++; + + return; +} + +void *acl_alloc(unsigned long len) +{ + void *ret; + + if (len > PAGE_SIZE) + BUG(); + + ret = kmalloc(len, GFP_KERNEL); + + if (ret) + alloc_push(ret); + + return ret; +} + +void acl_free_all(void) +{ + if (gr_acl_is_enabled() || !alloc_stack) return; + + while(alloc_pop()); + + if (alloc_stack) { + if ((alloc_stack_size * sizeof(void *)) <= PAGE_SIZE) + kfree(alloc_stack); + else + vfree(alloc_stack); + } + + alloc_stack = NULL; + alloc_stack_size = 1; + alloc_stack_next = 1; + + return; +} + +int acl_alloc_stack_init(unsigned long size) +{ + if ((size * sizeof(void *)) <= PAGE_SIZE) + alloc_stack = (void **)kmalloc(size * sizeof(void *), GFP_KERNEL); + else + alloc_stack = (void **)vmalloc(size * sizeof(void *)); + + alloc_stack_size = size; + + if (!alloc_stack) + return 0; + else + return 1; +} + diff -urN linux-2.4.20/grsecurity/gracl_cap.c linux-2.4.20/grsecurity/gracl_cap.c --- linux-2.4.20/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_cap.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,63 @@ +/* capability handling routines, (c) Brad Spengler 2002,2003 */ + +#include +#include +#include +#include +#include +#include + +static const char * captab_log[29] = { + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE" +}; + +int gr_is_capable(const int cap) +{ + struct acl_subject_label * curracl; + + if(!gr_acl_is_enabled()) return 1; + + curracl = current->acl; + + if(!cap_raised(curracl->cap_lower, cap)) return 1; + + if((curracl->mode & GR_LEARN) && cap_raised(current->cap_effective, cap)) { + security_learn(GR_LEARN_AUDIT_MSG, curracl->device, + curracl->inode, 0UL, 0UL, "", (unsigned long)cap); + return 1; + } + + if((cap >= 0) && (cap < 29) && cap_raised(current->cap_effective, cap)) + security_alert(GR_CAP_ACL_MSG, GR_CAP_ACL_FLD, + captab_log[cap], DEFAULTSECARGS); + + return 0; +} diff -urN linux-2.4.20/grsecurity/gracl_fs.c linux-2.4.20/grsecurity/gracl_fs.c --- linux-2.4.20/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_fs.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,400 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry, const struct vfsmount *mnt) +{ + __u32 mode; + + if (unlikely(!dentry->d_inode)) return GR_FIND; + + mode = gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND, mnt); + + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) { + security_audit(GR_HIDDEN_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return mode; + } else if (unlikely(!(mode & GR_FIND))) { + security_alert(GR_HIDDEN_ACL_MSG, GR_HIDDEN_ACL_FLD, + "denied", gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + return 0; + } + + return GR_FIND; +} + +__u32 gr_acl_handle_open(const struct dentry *dentry, const struct vfsmount *mnt, + const int fmode) +{ + __u32 reqmode = GR_FIND; + __u32 mode; + + if (unlikely(!dentry->d_inode)) return reqmode; + + if (fmode & O_APPEND) + reqmode |= GR_APPEND; + else if (fmode & FMODE_WRITE) + reqmode |= GR_WRITE; + if ((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)) + reqmode |= GR_READ; + + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode), mnt); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_OPEN_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return reqmode; + } else if (unlikely((mode & reqmode) != reqmode)) { + security_alert(GR_OPEN_ACL_MSG, GR_OPEN_ACL_FLD, + "denied", gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return 0; + } + + return reqmode; +} + +__u32 gr_acl_handle_creat(const struct dentry *dentry, + const struct dentry *p_dentry, + const struct vfsmount *p_mnt, + const int fmode) +{ + __u32 reqmode = GR_WRITE; + __u32 mode; + + if (fmode & O_APPEND) + reqmode |= GR_APPEND; + if ((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)) + reqmode |= GR_READ; + + mode = gr_check_create(dentry, p_dentry, p_mnt, reqmode | to_gr_audit(reqmode)); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_OPEN_ACL_MSG, "successful", + gr_to_filename(dentry, p_mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return reqmode; + } else if (unlikely((mode & reqmode) != reqmode)) { + security_alert(GR_OPEN_ACL_MSG, GR_OPEN_ACL_FLD, + "denied", gr_to_filename(dentry, p_mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : + reqmode & GR_APPEND ? " appending" : "", + DEFAULTSECARGS); + return 0; + } + + return reqmode; +} + +__u32 gr_acl_handle_access(const struct dentry *dentry, const struct vfsmount *mnt, + const int fmode) +{ + __u32 mode, reqmode = GR_FIND; + + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode)) + reqmode |= GR_EXEC; + if (fmode & S_IWOTH) + reqmode |= GR_WRITE; + if (fmode & S_IROTH) + reqmode |= GR_READ; + + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode), mnt); + + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) { + security_audit(GR_ACCESS_ACL_MSG, "successful", + gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : "", + reqmode & GR_EXEC ? " executing" : "", + DEFAULTSECARGS); + return reqmode; + } else if (unlikely((mode & reqmode) != reqmode)) { + security_alert(GR_ACCESS_ACL_MSG, GR_ACCESS_ACL_FLD, + "denied", gr_to_filename(dentry, mnt), + reqmode & GR_READ ? " reading" : "", + reqmode & GR_WRITE ? " writing" : "", + reqmode & GR_EXEC ? " executing" : "", + DEFAULTSECARGS); + return 0; + } + + return reqmode; +} + +#define generic_fs_handler(dentry, mnt, reqmode, fmt, flood_fmt) \ +{ \ + __u32 mode; \ + \ + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode), mnt); \ + \ + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \ + security_audit(fmt, "successful", \ + gr_to_filename(dentry, mnt), DEFAULTSECARGS); \ + return mode; \ + } else if (unlikely((mode & (reqmode)) != (reqmode))) { \ + security_alert(fmt, flood_fmt, \ + "denied", gr_to_filename(dentry, mnt), \ + DEFAULTSECARGS); \ + return 0; \ + } \ + \ + return (reqmode); \ +} + +__u32 gr_acl_handle_rmdir(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_RMDIR_ACL_MSG, + GR_RMDIR_ACL_FLD); +} + +__u32 gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_UNLINK_ACL_MSG, + GR_UNLINK_ACL_FLD); +} + +__u32 gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG, + GR_TRUNCATE_ACL_FLD); +} + +__u32 gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG, + GR_ATIME_ACL_FLD); +} + +__u32 gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG, + GR_FCHMOD_ACL_FLD); +} + +__u32 gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG, + GR_CHMOD_ACL_FLD); +} + +__u32 gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG, + GR_CHOWN_ACL_FLD); +} + +__u32 gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG, + GR_EXEC_ACL_FLD); +} + +__u32 gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt) +{ + generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE, + GR_UNIXCONNECT_ACL_MSG, GR_UNIXCONNECT_ACL_FLD); +} + +__u32 gr_acl_handle_filldir(const struct dentry *dentry, const struct vfsmount *mnt, + const ino_t ino) +{ + if (dentry->d_inode) { + struct dentry d = *dentry; + struct inode inode = *(dentry->d_inode); + + inode.i_ino = ino; + d.d_inode = &inode; + + if (!gr_search_file(&d, GR_FIND, mnt)) + return 0; + } + + return 1; +} + +__u32 gr_acl_handle_link(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt, + const char *to) +{ + __u32 mode; + + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, GR_WRITE | GR_AUDIT_WRITE); + + if (unlikely(mode & GR_WRITE && mode & GR_AUDIT_WRITE)) { + security_audit(GR_LINK_ACL_MSG, "successful", + gr_to_filename(old_dentry, old_mnt), to, + DEFAULTSECARGS); + return mode; + } else if (unlikely(!(mode & GR_WRITE))) { + security_alert(GR_LINK_ACL_MSG, GR_LINK_ACL_FLD, "denied", + gr_to_filename(old_dentry, old_mnt), to, + DEFAULTSECARGS); + return 0; + } + + return GR_WRITE; +} + +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const char *from) +{ + __u32 mode; + + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, GR_WRITE | GR_AUDIT_WRITE); + + if (unlikely(mode & GR_WRITE && mode & GR_AUDIT_WRITE)) { + security_audit(GR_SYMLINK_ACL_MSG, "successful", + from, gr_to_filename(new_dentry, parent_mnt), + DEFAULTSECARGS); + return mode; + } else if (unlikely(!(mode & GR_WRITE))) { + security_alert(GR_SYMLINK_ACL_MSG, GR_SYMLINK_ACL_FLD, "denied", + from, gr_to_filename(new_dentry, parent_mnt), + DEFAULTSECARGS); + return 0; + } + + return GR_WRITE; +} + +#define generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, reqmode, fmt, flood_fmt) \ +{ \ + __u32 mode; \ + \ + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode)); \ + \ + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \ + security_audit(fmt, "successful", \ + gr_to_filename(new_dentry, parent_mnt), \ + DEFAULTSECARGS); \ + return mode; \ + } else if (unlikely((mode & (reqmode)) != (reqmode))) { \ + security_alert(fmt, flood_fmt, "denied", \ + gr_to_filename(new_dentry, parent_mnt), \ + DEFAULTSECARGS); \ + return 0; \ + } \ + \ + return (reqmode); \ +} + +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt) +{ + generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, + GR_WRITE, GR_MKNOD_ACL_MSG, + GR_MKNOD_ACL_FLD); +} + +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt) +{ + generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, + GR_WRITE, GR_MKDIR_ACL_MSG, + GR_MKDIR_ACL_FLD); +} + +#define RENAME_CHECK_SUCCESS(old, new) \ + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \ + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ))) + +int gr_acl_handle_rename(struct dentry *new_dentry, + struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + struct dentry *old_dentry, + struct inode *old_parent_inode, + struct vfsmount *old_mnt, + const char *newname) +{ + __u8 gr_replace = 1; + __u32 comp1, comp2; + int error = 0; + + if (unlikely(!gr_acl_is_enabled())) return 1; + + if (!new_dentry->d_inode) { + gr_replace = 0; + + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt, + GR_READ | GR_WRITE | GR_AUDIT_READ | + GR_AUDIT_WRITE); + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE | + GR_AUDIT_READ | GR_AUDIT_WRITE, + old_mnt); + } else { + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE | + GR_AUDIT_READ | GR_AUDIT_WRITE, + parent_mnt); + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE | + GR_AUDIT_READ | GR_AUDIT_WRITE, + old_mnt); + } + + if (RENAME_CHECK_SUCCESS(comp1, comp2) && + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS))) + security_audit(GR_RENAME_ACL_MSG, "successful", + gr_to_filename(old_dentry, old_mnt), + newname, DEFAULTSECARGS); + else if (!RENAME_CHECK_SUCCESS(comp1, comp2)) { + security_alert(GR_RENAME_ACL_MSG, GR_RENAME_ACL_FLD, + "denied", gr_to_filename(old_dentry, + old_mnt), newname, DEFAULTSECARGS); + error = -EACCES; + } + + if (error) return error; + + error = gr_handle_rename(old_parent_inode, parent_dentry->d_inode, + old_dentry, new_dentry, old_mnt, gr_replace); + + return error; +} + +void gr_acl_handle_exit(void) +{ + if (unlikely(current->acl_admin && gr_acl_is_enabled())) { + gr_set_acls(1); + security_alert_good(GR_ADMINL_ACL_MSG, GR_ADMINL_ACL_FLD, + DEFAULTSECARGS); + } +} + +int gr_acl_handle_procpidmem(const struct task_struct *task) +{ + if (unlikely(!gr_acl_is_enabled())) return 0; + + if (task->acl->mode & GR_PROTPROCFD) { + security_alert(GR_ACL_PIDMEM_MSG, GR_ACL_PIDMEM_FLD, + task->comm, task->pid, task->uid, task->euid, + task->p_pptr->comm, task->p_pptr->pid, + task->p_pptr->uid, task->p_pptr->euid, + DEFAULTSECARGS); + return -EACCES; + } + + return 0; +} diff -urN linux-2.4.20/grsecurity/gracl_ip.c linux-2.4.20/grsecurity/gracl_ip.c --- linux-2.4.20/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_ip.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,161 @@ +/* + * grsecurity/gracl_ip.c + * Copyright Brad Spengler 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define GR_BIND 0x01 +#define GR_CONNECT 0x02 + +int gr_search_socket(const int domain, const int type, const int protocol) +{ + struct acl_subject_label * curr; + + if(unlikely(!gr_acl_is_enabled())) goto exit; + + if((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET) || + (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255)) + goto exit; // let the kernel handle it + + curr = current->acl; + + if(!curr->ips) + goto exit; + + if((curr->ip_type & (1 << type)) && + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32)))) + goto exit; + + if(curr->mode & GR_LEARN) { + /* we don't place acls on raw sockets , and sometimes + dgram/ip sockets are opened for ioctl and not + bind/connect, so we'll fake a bind learn log */ + if (type == SOCK_RAW || type == SOCK_PACKET) { + __u32 fakeip = 0; + security_learn(GR_IP_LEARN_MSG, curr->device, curr->inode, + NIPQUAD(fakeip), 0, type, + protocol, GR_CONNECT); + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) { + __u32 fakeip = 0; + security_learn(GR_IP_LEARN_MSG, curr->device, curr->inode, + NIPQUAD(fakeip), 0, type, + protocol, GR_BIND); + } + /* we'll log when they use connect or bind */ + goto exit; + } + + security_alert(GR_SOCK_MSG, GR_SOCK_FLD, domain, type, protocol, + DEFAULTSECARGS); + + return 0; +exit: + return 1; +} + +static __inline__ int gr_search_connectbind(const int mode, const struct sock * sk, + const struct sockaddr_in * addr, const int type) +{ + struct acl_subject_label * curr; + struct acl_ip_label * ip; + unsigned long i; + unsigned long ip_addr = 0; + __u16 ip_port = 0; + + if (unlikely(!gr_acl_is_enabled() || sk->family != PF_INET)) + return 1; + + curr = current->acl; + + if (!curr->ips) return 1; + + ip_addr = addr->sin_addr.s_addr; + ip_port = ntohs(addr->sin_port); + + for (i = 0; i < curr->ip_num; i++) { + ip = *(curr->ips + i); + if((ip->mode & mode) && + (ip_port >= ip->low) && + (ip_port <= ip->high) && + ((ntohl(ip_addr) & ip->netmask) == (ntohl(ip->addr) & ip->netmask)) && + (ip->proto[sk->protocol / 32] & (1 << (sk->protocol % 32))) && + (ip->type & (1 << type))) + return 1; + } + + if (curr->mode & GR_LEARN) { + security_learn(GR_IP_LEARN_MSG, curr->device, curr->inode, + NIPQUAD(ip_addr), ip_port, type, + sk->protocol, mode); + return 1; + } + + if(mode == GR_BIND) + security_alert(GR_BIND_ACL_MSG, GR_BIND_ACL_FLD, + NIPQUAD(ip_addr), ip_port, type, + sk->protocol, DEFAULTSECARGS); + else if(mode == GR_CONNECT) + security_alert(GR_CONNECT_ACL_MSG, GR_CONNECT_ACL_FLD, + NIPQUAD(ip_addr), ip_port, type, + sk->protocol, DEFAULTSECARGS); + + return 0; +} + +int gr_search_connect(const struct socket * sock, + const struct sockaddr_in * addr) +{ + return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type); +} + +int gr_search_bind(const struct socket * sock, + const struct sockaddr_in * addr) +{ + return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type); +} + +int gr_search_udp_sendmsg(const struct sock * sk, + const struct sockaddr_in * addr) +{ + if (addr) + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM); + else { + struct sockaddr_in sin; + + sin.sin_addr.s_addr = sk->daddr; + sin.sin_port = sk->dport; + + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM); + } +} + +int gr_search_udp_recvmsg(const struct sock * sk, const struct sk_buff *skb) +{ + struct sockaddr_in sin; + + if (unlikely(skb->len < sizeof(struct udphdr))) + return 1; // skip this packet + + sin.sin_addr.s_addr = skb->nh.iph->saddr; + sin.sin_port = skb->h.uh->source; + + return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM); +} diff -urN linux-2.4.20/grsecurity/gracl_res.c linux-2.4.20/grsecurity/gracl_res.c --- linux-2.4.20/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_res.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,34 @@ +/* resource handling routines (c) Brad Spengler 2002, 2003 */ + +#include +#include +#include +#include + +static const char * restab_log[11] = { + "RLIMIT_CPU", + "RLIMIT_FSIZE", + "RLIMIT_DATA", + "RLIMIT_STACK", + "RLIMIT_CORE", + "RLIMIT_RSS", + "RLIMIT_NPROC", + "RLIMIT_NOFILE", + "RLIMIT_MEMLOCK", + "RLIMIT_AS", + "RLIMIT_LOCKS" +}; + +__inline__ void gr_log_resource(const struct task_struct *task, + const int res, const unsigned long wanted) +{ + if (unlikely(wanted >= task->rlim[res].rlim_cur)) + security_alert(GR_RESOURCE_MSG, GR_RESOURCE_FLD, + wanted, restab_log[res], + task->rlim[res].rlim_cur, + task->comm, task->pid, task->uid, task->euid, + task->p_pptr->comm, task->p_pptr->pid, + task->p_pptr->uid, task->p_pptr->euid); + + return; +} diff -urN linux-2.4.20/grsecurity/gracl_segv.c linux-2.4.20/grsecurity/gracl_segv.c --- linux-2.4.20/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_segv.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,296 @@ +/* + * grsecurity/gracl_segv.c + * Copyright Brad Spengler 2002, 2003 + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static struct crash_uid * uid_set; +static unsigned short uid_used; +static rwlock_t gr_uid_lock = RW_LOCK_UNLOCKED; +extern rwlock_t gr_inode_lock; +extern __inline__ struct acl_subject_label * + lookup_acl_subj_label(ino_t inode, kdev_t dev); + +int gr_init_uidset(void) +{ + uid_set = kmalloc(GR_UIDTABLE_MAX * sizeof(struct crash_uid), GFP_KERNEL); + uid_used = 0; + + return uid_set ? 1 : 0; +} + +void gr_free_uidset(void) +{ + if(uid_set) + kfree(uid_set); + + return; +} + +int gr_find_uid(const uid_t uid) +{ + struct crash_uid * tmp = uid_set; + uid_t buid; + int low = 0, high = uid_used - 1, mid; + + while (high >= low) { + mid = (low + high) >> 1; + buid = tmp[mid].uid; + if(buid == uid) + return mid; + if(buid > uid) + high = mid - 1; + if(buid < uid) + low = mid + 1; + } + + return -1; +} + +static __inline__ void gr_insertsort(void) +{ + unsigned short i, j; + struct crash_uid index; + + for(i = 1; i < uid_used; i++) { + index = uid_set[i]; + j = i; + while ((j > 0) && uid_set[j-1].uid > index.uid) { + uid_set[j] = uid_set[j-1]; + j--; + } + uid_set[j] = index; + } + + return; +} + +static __inline__ void gr_insert_uid(const uid_t uid, const unsigned long expires) +{ + int loc; + + if(uid_used == GR_UIDTABLE_MAX) + return; + + loc = gr_find_uid(uid); + + if(loc >= 0) { + uid_set[loc].expires = expires; + return; + } + + uid_set[uid_used].uid = uid; + uid_set[uid_used].expires = expires; + uid_used++; + + gr_insertsort(); + + return; +} + +void gr_remove_uid(const unsigned short loc) +{ + unsigned short i; + + for(i = loc + 1; i < uid_used; i++) + uid_set[i - i] = uid_set[i]; + + uid_used--; + + return; +} + +int gr_check_crash_uid(const uid_t uid) +{ + int loc; + + if (unlikely(!gr_acl_is_enabled())) return 0; + + read_lock(&gr_uid_lock); + loc = gr_find_uid(uid); + read_unlock(&gr_uid_lock); + + if(loc < 0) return 0; + + write_lock(&gr_uid_lock); + if (time_before_eq(uid_set[loc].expires, jiffies)) + gr_remove_uid(loc); + else { + write_unlock(&gr_uid_lock); + return 1; + } + + write_unlock(&gr_uid_lock); + return 0; +} + +static __inline__ int proc_is_setxid(const struct task_struct * task) +{ + if(task->uid != task->euid || task->uid != task->suid || + task->uid != task->fsuid) + return 1; + if(task->gid != task->egid || task->gid != task->sgid || + task->gid != task->fsgid) + return 1; + + return 0; +} +static __inline__ int gr_fake_force_sig(int sig, struct task_struct * t) +{ + unsigned long int flags; + + spin_lock_irqsave(&t->sigmask_lock, flags); + if (t->sig == NULL) { + spin_unlock_irqrestore(&t->sigmask_lock, flags); + return -ESRCH; + } + + if (t->sig->action[sig-1].sa.sa_handler == SIG_IGN) + t->sig->action[sig-1].sa.sa_handler = SIG_DFL; + sigdelset(&t->blocked, sig); + recalc_sigpending(t); + spin_unlock_irqrestore(&t->sigmask_lock, flags); + + return send_sig_info(sig, (void*)1L, t); +} + +void gr_handle_crash(struct task_struct * task, const int sig) +{ + struct acl_subject_label * curr; + struct acl_subject_label * curr2; + struct task_struct * tsk; + + if(sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && + sig != SIGILL) return; + + if(unlikely(!gr_acl_is_enabled())) return; + + + curr = task->acl; + + if(!(curr->resmask & (1 << GR_CRASH_RES))) + return; + + if (time_before_eq(curr->expires, jiffies)) { + curr->expires = 0; + curr->crashes = 0; + } + + curr->crashes++; + + if(!curr->expires) + curr->expires = jiffies + curr->res[GR_CRASH_RES].rlim_max; + + if((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) && + (time_after(curr->expires, jiffies))) { + if(task->uid && proc_is_setxid(task)) { + security_alert(GR_SEGVSTART_ACL_MSG, GR_SEGVSTART_ACL_FLD, + task->comm, task->pid, task->uid, task->euid, + task->p_pptr->comm, task->p_pptr->pid, + task->p_pptr->uid, task->p_pptr->euid, + task->uid, curr->res[GR_CRASH_RES].rlim_max / HZ); + write_lock(&gr_uid_lock); + gr_insert_uid(task->uid, curr->expires); + write_unlock(&gr_uid_lock); + curr->expires = 0; + curr->crashes = 0; + read_lock(&tasklist_lock); + for_each_task(tsk) { + if(tsk != task && tsk->uid == task->uid) + gr_fake_force_sig(SIGKILL, tsk); + } + read_unlock(&tasklist_lock); + } else { + security_alert(GR_SEGVNOSUID_ACL_MSG, GR_SEGVNOSUID_ACL_FLD, + task->comm, task->pid, task->uid, task->euid, + task->p_pptr->comm, task->p_pptr->pid, + task->p_pptr->uid, task->p_pptr->euid, + kdevname(curr->device), curr->inode, + curr->res[GR_CRASH_RES].rlim_max / HZ); + read_lock(&tasklist_lock); + for_each_task(tsk) { + if (likely(tsk != task)) { + curr2 = tsk->acl; + + if (curr2->device == curr->device && + curr2->inode == curr->inode) + gr_fake_force_sig(SIGKILL, tsk); + } + } + read_unlock(&tasklist_lock); + } + } + + return; +} + +int gr_check_crash_exec(const struct file * filp) +{ + struct acl_subject_label * curr; + + if(unlikely(!gr_acl_is_enabled())) return 0; + + read_lock(&gr_inode_lock); + curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino, + filp->f_dentry->d_inode->i_dev); + read_unlock(&gr_inode_lock); + + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) || + (!curr->crashes && !curr->expires)) + return 0; + + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) && + time_after(curr->expires, jiffies)) + return 1; + else if (time_before_eq(curr->expires, jiffies)) { + curr->crashes = 0; + curr->expires = 0; + } + + return 0; +} + +void gr_handle_alertkill(void) +{ + struct acl_subject_label *curracl; + __u32 curr_ip; + struct task_struct *task; + + if (unlikely(!gr_acl_is_enabled())) return; + + curracl = current->acl; + curr_ip = current->curr_ip; + + if ((curracl->mode & GR_KILLIPPROC) && curr_ip && + (curr_ip != 0xffffffff)) { + read_lock(&tasklist_lock); + for_each_task(task) { + if (task->curr_ip == curr_ip) + gr_fake_force_sig(SIGKILL, task); + } + read_unlock(&tasklist_lock); + } else if (curracl->mode & GR_KILLPROC) + gr_fake_force_sig(SIGKILL, current); + + return; +} + diff -urN linux-2.4.20/grsecurity/gracl_shm.c linux-2.4.20/grsecurity/gracl_shm.c --- linux-2.4.20/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/gracl_shm.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,37 @@ +/* shared memory handling routines, (c) Brad Spengler 2002, 2003 */ + +#include +#include +#include +#include +#include +#include +#include +#include + +int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, + const int shmid) +{ + struct task_struct *task; + + if (!gr_acl_is_enabled()) + return 1; + + task = find_task_by_pid(shm_cprid); + + if (unlikely(!task)) + task = find_task_by_pid(shm_lapid); + + if (unlikely(task && ((task->start_time < shm_createtime) || + (task->pid == shm_lapid)) && + (task->acl->mode & GR_PROTSHM) && + (task->acl != current->acl))) { + security_alert(GR_SHMAT_ACL_MSG, GR_SHMAT_ACL_FLD, + cuid, shm_cprid, shmid, + DEFAULTSECARGS); + return 0; + } + + return 1; +} diff -urN linux-2.4.20/grsecurity/grsec_chdir.c linux-2.4.20/grsecurity/grsec_chdir.c --- linux-2.4.20/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_chdir.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,19 @@ +#include +#include +#include +#include +#include +#include + +void gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + if ((grsec_enable_chdir && grsec_enable_group && + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir && + !grsec_enable_group)) { + security_audit(GR_CHDIR_AUDIT_MSG, gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + } +#endif + return; +} diff -urN linux-2.4.20/grsecurity/grsec_chroot.c linux-2.4.20/grsecurity/grsec_chroot.c --- linux-2.4.20/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_chroot.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,309 @@ +#include +#include +#include +#include +#include +#include + +int gr_handle_chroot_unix(const pid_t pid) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + struct task_struct *p, **htable; + + if (unlikely(!grsec_enable_chroot_unix)) return 1; + + if (likely(!proc_is_chrooted(current))) + return 1; + + read_lock(&tasklist_lock); + + htable = &pidhash[pid_hashfn(pid)]; + + for(p = *htable; p && p->pid != pid; p = p->pidhash_next) + ; + + if (unlikely(p && !have_same_root(current, p))) { + read_unlock(&tasklist_lock); + security_alert(GR_UNIX_CHROOT_MSG, GR_UNIX_CHROOT_FLD, + DEFAULTSECARGS); + return 0; + } + read_unlock(&tasklist_lock); +#endif + return 1; +} + +int gr_handle_chroot_nice(void) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) { + security_alert(GR_NICE_CHROOT_MSG, GR_NICE_CHROOT_FLD, + DEFAULTSECARGS); + return -EPERM; + } + +#endif + return 0; +} + +int gr_handle_chroot_setpriority(const struct task_struct *p, const int niceval) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if (grsec_enable_chroot_nice && (!have_same_root(p,current) + || (have_same_root(p,current) && (niceval < p->nice) && proc_is_chrooted(current)))) { + security_alert(GR_PRIORITY_CHROOT_MSG, GR_PRIORITY_CHROOT_FLD, + p->comm,p->pid,DEFAULTSECARGS); + return -ESRCH; + } +#endif + return 0; +} + +int gr_handle_chroot_capset(const struct task_struct *target) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && + !have_same_root(current,target)) { + security_alert(GR_CAPSET_CHROOT_MSG, GR_CAPSET_CHROOT_FLD, + target->comm, target->pid, + DEFAULTSECARGS); + return 1; + } +#endif + return 0; +} + +int gr_pid_is_chrooted(const struct task_struct *p) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK + if(!grsec_enable_chroot_findtask) return 0; + + if(p && p->fs && p->fs->root && p->fs->root->d_inode && + child_reaper && child_reaper->fs && child_reaper->fs->root && + child_reaper->fs->root->d_inode && current && current->fs && + current->fs->root && current->fs->root->d_inode) { + if(proc_is_chrooted(current) && !have_same_root(current, p)) + return 1; + } +#endif + return 0; +} + +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR + if (!grsec_enable_chroot_fchdir) return 1; + + if (!proc_is_chrooted(current)) + return 1; + else { + struct dentry *dentry = u_dentry; + struct vfsmount *mnt = u_mnt; + struct dentry *realroot; + struct vfsmount *realrootmnt; + struct dentry *currentroot; + struct vfsmount *currentmnt; + + read_lock(&child_reaper->fs->lock); + realrootmnt = mntget(child_reaper->fs->rootmnt); + realroot = dget(child_reaper->fs->root); + read_unlock(&child_reaper->fs->lock); + + read_lock(¤t->fs->lock); + currentmnt = mntget(current->fs->rootmnt); + currentroot = dget(current->fs->root); + read_unlock(¤t->fs->lock); + + spin_lock(&dcache_lock); + for(;;) { + if (unlikely((dentry == realroot && mnt == realrootmnt) || + (dentry == currentroot && mnt == currentmnt))) + break; + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) { + if (mnt->mnt_parent == mnt) + break; + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + continue; + } + dentry = dentry->d_parent; + } + spin_unlock(&dcache_lock); + + dput(currentroot); + mntput(currentmnt); + + if (dentry == realroot && mnt == realrootmnt) { + /* ok, they're definitely trying to fchdir outside of the + chroot. */ + dput(realroot); + mntput(realrootmnt); + security_alert(GR_CHROOT_FCHDIR_MSG, GR_CHROOT_FCHDIR_FLD, + gr_to_filename(u_dentry, u_mnt), + DEFAULTSECARGS); + return 0; + } else { + dput(realroot); + mntput(realrootmnt); + return 1; + } + } +#endif + return 1; +} + +int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT + struct task_struct *p, **htable; + + if (unlikely(!grsec_enable_chroot_shmat)) return 1; + + if (likely(!proc_is_chrooted(current))) + return 1; + + read_lock(&tasklist_lock); + + htable = &pidhash[pid_hashfn(shm_cprid)]; + + for(p = *htable; p && p->pid != shm_cprid; p = p->pidhash_next) + ; + + if (unlikely(p && !have_same_root(current, p) && + (p->start_time < shm_createtime))) { + read_unlock(&tasklist_lock); + security_alert(GR_SHMAT_CHROOT_MSG, GR_SHMAT_CHROOT_FLD, + DEFAULTSECARGS); + return 0; + } + + if (unlikely(!p)) { + htable = &pidhash[pid_hashfn(shm_lapid)]; + for(p = *htable; p && p->pid != shm_lapid; p = p->pidhash_next) + ; + + if (unlikely(p && !have_same_root(current, p))) { + read_unlock(&tasklist_lock); + security_alert(GR_SHMAT_CHROOT_MSG, GR_SHMAT_CHROOT_FLD, + DEFAULTSECARGS); + return 0; + } + } + + read_unlock(&tasklist_lock); +#endif + return 1; +} + +void gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + if (grsec_enable_chroot_execlog && proc_is_chrooted(current)) + security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt), + DEFAULTSECARGS); +#endif + return; +} + +int gr_handle_chroot_mknod(const struct dentry *dentry, + const struct vfsmount *mnt, + const int mode) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && + proc_is_chrooted(current)) { + security_alert(GR_MKNOD_CHROOT_MSG, GR_MKNOD_CHROOT_FLD, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int gr_handle_chroot_mount(const struct dentry *dentry, + const struct vfsmount *mnt, + const char *dev_name) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) { + security_alert(GR_MOUNT_CHROOT_MSG, GR_MOUNT_CHROOT_FLD, + dev_name, gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int gr_handle_chroot_pivot(void) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) { + security_alert(GR_PIVOT_CHROOT_MSG, GR_PIVOT_CHROOT_FLD, + DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +int gr_handle_chroot_chroot(const struct dentry *dentry, + const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + if (grsec_enable_chroot_double && proc_is_chrooted(current)) { + security_alert(GR_CHROOT_CHROOT_MSG, GR_CHROOT_CHROOT_FLD, + gr_to_filename(dentry, mnt), DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} + +void gr_handle_chroot_caps(void) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && (current->pid > 1)) { + current->cap_permitted = cap_drop(current->cap_permitted,GR_CHROOT_CAPS); + current->cap_inheritable = cap_drop(current->cap_inheritable,GR_CHROOT_CAPS); + current->cap_effective = cap_drop(current->cap_effective,GR_CHROOT_CAPS); + } +#endif + return; +} + +int gr_handle_chroot_sysctl(const int op) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current) && (op & 002)) + return -EACCES; +#endif + return 0; +} + +void gr_handle_chroot_chdir(struct dentry *dentry, + struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + if (grsec_enable_chroot_chdir) + set_fs_pwd(current->fs, mnt, dentry); +#endif + return; +} + +int gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + if (grsec_enable_chroot_chmod && + ((mode & S_ISUID) || (mode & S_ISGID)) && + proc_is_chrooted(current)) { + security_alert(GR_CHMOD_CHROOT_MSG, GR_CHMOD_CHROOT_FLD, + gr_to_filename(dentry, mnt), + DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} diff -urN linux-2.4.20/grsecurity/grsec_disabled.c linux-2.4.20/grsecurity/grsec_disabled.c --- linux-2.4.20/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_disabled.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,316 @@ +/* + * when grsecurity is disabled, compile all external functions into nothing + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef CONFIG_SYSCTL +__u32 gr_handle_sysctl(const struct ctl_table * table, __u32 mode) +{ + return mode; +} +#endif + +int gr_acl_is_enabled(void) +{ + return 0; +} + +int gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 0; +} + +int gr_handle_mmap(const struct file * filp, const unsigned long prot) +{ + return 0; +} + +int gr_handle_ptrace(struct task_struct * task, const long request) +{ + return 0; +} + +void gr_learn_resource(const struct task_struct * task, + const int res, const unsigned long wanted) +{ + return; +} + +int gr_set_acls(const int type) +{ + return 0; +} + +int gr_check_hidden_task(const struct task_struct *tsk) +{ + return 0; +} + +int gr_check_protected_task(const struct task_struct *task) +{ + return 0; +} + +__inline__ void gr_copy_label(struct task_struct *tsk) +{ + return; +} + +void gr_set_pax_flags(struct task_struct *task) +{ + return; +} + +void gr_set_proc_label(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return; +} + +void gr_handle_delete(const ino_t ino, const kdev_t dev) +{ + return; +} + +void gr_handle_create(const struct dentry * dentry, + const struct vfsmount * mnt) +{ + return; +} + +void gr_handle_crash(struct task_struct * task, const int sig) +{ + return; +} + +int gr_check_crash_exec(const struct file * filp) +{ + return 0; +} + +int gr_check_crash_uid(const uid_t uid) +{ + return 0; +} + +int gr_handle_rename(struct inode * old_dir, struct inode * new_dir, + struct dentry * old_dentry, + struct dentry * new_dentry, + struct vfsmount * mnt, const __u8 replace) +{ + return 0; +} + +int gr_search_socket(const int family, const int type, const int protocol) +{ + return 1; +} + +int gr_search_connectbind(const int mode, const struct socket * sock, + const struct sockaddr_in * addr) +{ + return 1; +} + +int gr_is_capable(const int cap) +{ + return 1; +} + +void gr_handle_alertkill(void) +{ + return; +} + +__u32 gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_open(const struct dentry *dentry, const struct vfsmount *mnt, + const int fmode) +{ + return 1; +} + +__u32 gr_acl_handle_rmdir(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 1; +} + +int gr_acl_handle_mmap(const struct file *file, const unsigned long prot, + unsigned int *vm_flags) +{ + return 1; +} + + +__u32 gr_acl_handle_truncate(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_utime(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_access(const struct dentry *dentry, + const struct vfsmount *mnt, const int fmode) +{ + return 1; +} + +__u32 gr_acl_handle_fchmod(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_chmod(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_chown(const struct dentry *dentry, + const struct vfsmount *mnt) +{ + return 1; +} + +void grsecurity_init(void) +{ + return; +} + +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt) +{ + return 1; +} + +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt) +{ + return 1; +} + +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const char *from) +{ + return 1; +} + +__u32 gr_acl_handle_link(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt, + const char *to) +{ + return 1; +} + +int gr_acl_handle_rename(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct inode *old_parent_inode, + const struct vfsmount *old_mnt, + const char *newname) +{ + return 1; +} + +__u32 gr_acl_handle_filldir(const struct dentry *dentry, + const struct vfsmount *mnt, const ino_t ino) +{ + return 1; +} + +int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, + const int shmid) +{ + return 1; +} + +int gr_search_bind(const struct socket * sock, + const struct sockaddr_in * addr) +{ + return 1; +} + +int gr_search_connect(const struct socket * sock, + const struct sockaddr_in * addr) +{ + return 1; +} + +__u32 gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt) +{ + return 1; +} + +__u32 gr_acl_handle_creat(const struct dentry *dentry, + const struct dentry *p_dentry, + const struct vfsmount *p_mnt, + const int fmode) +{ + return 1; +} + +void gr_acl_handle_exit(void) +{ + return; +} + +int gr_acl_handle_mprotect(const struct file *file, const unsigned long prot) +{ + return 1; +} + +int gr_acl_handle_procpidmem(const struct task_struct *task) +{ + return 0; +} + +int gr_search_udp_recvmsg(const struct sock *sk, + const struct sk_buff *skb) +{ + return 1; +} + +int gr_search_udp_sendmsg(const struct sock * sk, + const struct sockaddr_in * addr) +{ + return 1; +} diff -urN linux-2.4.20/grsecurity/grsec_exec.c linux-2.4.20/grsecurity/grsec_exec.c --- linux-2.4.20/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_exec.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,64 @@ +#include +#include +#include +#include +#include +#include +#include + +#include + +int gr_handle_nproc(void) +{ +#ifdef CONFIG_GRKERNSEC_EXECVE + if (grsec_enable_execve && current->user && + (atomic_read(¤t->user->processes) > current->rlim[RLIMIT_NPROC].rlim_cur)) { + security_alert(GR_NPROC_MSG, GR_NPROC_FLD, DEFAULTSECARGS); + return -EAGAIN; + } +#endif + return 0; +} + +void gr_handle_exec_args(struct linux_binprm * bprm, char ** argv) +{ +#ifdef CONFIG_GRKERNSEC_EXECLOG + char grarg[64] = {0}; + __u8 execlen = 0; + unsigned int i; + + if (!((grsec_enable_execlog && grsec_enable_group && + in_group_p(grsec_audit_gid)) + || (grsec_enable_execlog && !grsec_enable_group))) + return; + + if (unlikely(!argv)) goto log; + + for(i = 0; i < bprm->argc && execlen < 62; i++) { + char *p; + __u8 len; + + if (get_user(p, argv + i)) + goto log; + if (!p) + goto log; + len = strnlen_user(p, 62 - execlen); + if (len > 62 - execlen) + len = 62 - execlen; + else if (len > 0) + len--; + if (copy_from_user(grarg + execlen, p, len)) + goto log; + execlen += len; + *(grarg + execlen) = ' '; + *(grarg + execlen + 1) = '\0'; + execlen++; + } + +log: + security_audit(GR_EXEC_AUDIT_MSG, gr_to_filename(bprm->file->f_dentry, + bprm->file->f_vfsmnt), grarg, + DEFAULTSECARGS); +#endif + return; +} diff -urN linux-2.4.20/grsecurity/grsec_fifo.c linux-2.4.20/grsecurity/grsec_fifo.c --- linux-2.4.20/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_fifo.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,25 @@ +#include +#include +#include +#include +#include + +int gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, + const struct dentry *dir, const int flag, const int acc_mode) +{ +#ifdef CONFIG_GRKERNSEC_FIFO + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && + (current->fsuid != dentry->d_inode->i_uid)) { + if(!permission(dentry->d_inode, acc_mode)) + security_alert(GR_FIFO_MSG, GR_FIFO_FLD, + gr_to_filename(dentry, mnt), + dentry->d_inode->i_uid, dentry->d_inode->i_gid, + DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + diff -urN linux-2.4.20/grsecurity/grsec_fork.c linux-2.4.20/grsecurity/grsec_fork.c --- linux-2.4.20/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_fork.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,14 @@ +#include +#include +#include +#include + +void gr_log_forkfail(const int retval) +{ +#ifdef CONFIG_GRKERNSEC_FORKFAIL + if (grsec_enable_forkfail) + security_alert(GR_FAILFORK_MSG, GR_FAILFORK_FLD, + retval, DEFAULTSECARGS); +#endif + return; +} diff -urN linux-2.4.20/grsecurity/grsec_init.c linux-2.4.20/grsecurity/grsec_init.c --- linux-2.4.20/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_init.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,200 @@ +#include +#include +#include +#include + +int grsec_enable_link; +int grsec_enable_dmesg; +int grsec_enable_fifo; +int grsec_enable_execve; +int grsec_enable_execlog; +int grsec_enable_signal; +int grsec_enable_forkfail; +int grsec_enable_time; +int grsec_enable_group; +int grsec_audit_gid; +int grsec_enable_chdir; +int grsec_enable_audit_ipc; +int grsec_enable_mount; +int grsec_enable_chroot_findtask; +int grsec_enable_chroot_mount; +int grsec_enable_chroot_shmat; +int grsec_enable_chroot_fchdir; +int grsec_enable_chroot_double; +int grsec_enable_chroot_pivot; +int grsec_enable_chroot_chdir; +int grsec_enable_chroot_chmod; +int grsec_enable_chroot_mknod; +int grsec_enable_chroot_nice; +int grsec_enable_chroot_execlog; +int grsec_enable_chroot_caps; +int grsec_enable_chroot_sysctl; +int grsec_enable_chroot_unix; +int grsec_enable_tpe; +int grsec_tpe_gid; +int grsec_enable_tpe_all; +int grsec_enable_randpid; +int grsec_enable_randid; +int grsec_enable_randisn; +int grsec_enable_randsrc; +int grsec_enable_randrpc; +int grsec_enable_randping; +int grsec_enable_socket_all; +int grsec_socket_all_gid; +int grsec_enable_socket_client; +int grsec_socket_client_gid; +int grsec_enable_socket_server; +int grsec_socket_server_gid; +int grsec_lock; + +spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED; +unsigned long grsec_alert_wtime = 0; +unsigned long grsec_alert_fyet = 0; + +spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED; +unsigned long grsec_alertgood_wtime = 0; +unsigned long grsec_alertgood_fyet = 0; + +spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED; +spinlock_t grsec_learn_lock = SPIN_LOCK_UNLOCKED; + +char *gr_shared_page[NR_CPUS]; +extern void arc4_init(void); + +void grsecurity_init(void) +{ + int i; + /* create the per-cpu shared pages */ + + for (i = 0; i < NR_CPUS; i++) { + gr_shared_page[i] = (char *)get_zeroed_page(GFP_KERNEL); + if (!gr_shared_page[i]) { + panic("Unable to allocate grsecurity shared page"); + return; + } + } + + arc4_init(); + +#ifndef CONFIG_GRKERNSEC_SYSCTL +grsec_lock = 1; +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP +grsec_enable_group = 1; +grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR +grsec_enable_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC +grsec_enable_audit_ipc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT +grsec_enable_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_LINK +grsec_enable_link = 1; +#endif +#ifdef CONFIG_GRKERNSEC_DMESG +grsec_enable_dmesg = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO +grsec_enable_fifo = 1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE +grsec_enable_execve = 1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG +grsec_enable_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL +grsec_enable_signal = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL +grsec_enable_forkfail = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TIME +grsec_enable_time = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK +grsec_enable_chroot_findtask = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX +grsec_enable_chroot_unix = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT +grsec_enable_chroot_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR +grsec_enable_chroot_fchdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT +grsec_enable_chroot_shmat = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE +grsec_enable_chroot_double = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT +grsec_enable_chroot_pivot = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR +grsec_enable_chroot_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD +grsec_enable_chroot_chmod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD +grsec_enable_chroot_mknod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE +grsec_enable_chroot_nice = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG +grsec_enable_chroot_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS +grsec_enable_chroot_caps = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL +grsec_enable_chroot_sysctl = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE +grsec_enable_tpe = 1; +grsec_tpe_gid= CONFIG_GRKERNSEC_TPE_GID; +#ifdef CONFIG_GRKERNSEC_TPE_ALL +grsec_enable_tpe_all = 1; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID +grsec_enable_randpid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +grsec_enable_randid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN +grsec_enable_randisn = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +grsec_enable_randsrc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +grsec_enable_randrpc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING +grsec_enable_randping = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL +grsec_enable_socket_all = 1; +grsec_socket_all_gid= CONFIG_GRKERNSEC_SOCKET_ALL_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT +grsec_enable_socket_client = 1; +grsec_socket_client_gid= CONFIG_GRKERNSEC_SOCKET_CLIENT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER +grsec_enable_socket_server = 1; +grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID; +#endif +#endif + +return; +} diff -urN linux-2.4.20/grsecurity/grsec_ipc.c linux-2.4.20/grsecurity/grsec_ipc.c --- linux-2.4.20/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_ipc.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,75 @@ +#include +#include +#include +#include +#include +#include + +void gr_log_msgget(const int ret, const int msgflg) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (ret >= 0) && (msgflg & IPC_CREAT)) + security_audit(GR_MSGQ_AUDIT_MSG, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_msgrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_MSGQR_AUDIT_MSG, uid, + cuid, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_semget(const int err, const int semflg) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (err >= 0) && (semflg & IPC_CREAT)) + security_audit(GR_SEM_AUDIT_MSG, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_semrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_SEMR_AUDIT_MSG, uid, + cuid, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_shmget(const int err, const int shmflg, const size_t size) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if (((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || (grsec_enable_audit_ipc && + !grsec_enable_group)) && (err >= 0) && (shmflg & IPC_CREAT)) + security_audit(GR_SHM_AUDIT_MSG, size, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_shmrm(const uid_t uid, const uid_t cuid) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if ((grsec_enable_group && in_group_p(grsec_audit_gid) && + grsec_enable_audit_ipc) || + (grsec_enable_audit_ipc && !grsec_enable_group)) + security_audit(GR_SHMR_AUDIT_MSG, uid, + cuid, DEFAULTSECARGS); +#endif + return; +} diff -urN linux-2.4.20/grsecurity/grsec_link.c linux-2.4.20/grsecurity/grsec_link.c --- linux-2.4.20/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_link.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,43 @@ +#include +#include +#include +#include +#include + +int gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry, + const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && S_ISLNK(inode->i_mode) && + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { + security_alert(GR_SYMLINK_MSG, GR_SYMLINK_FLD, + gr_to_filename(dentry, mnt), + inode->i_uid, inode->i_gid, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int gr_handle_hardlink(const struct dentry *dentry, + const struct vfsmount *mnt, + struct inode *inode, + const int mode, const char *to) +{ +#ifdef CONFIG_GRKERNSEC_LINK + if (grsec_enable_link && current->fsuid != inode->i_uid && + (!S_ISREG(mode) || (mode & S_ISUID) || + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || + (permission(inode, MAY_READ | MAY_WRITE))) && + !capable(CAP_FOWNER) && current->uid) { + security_alert(GR_HARDLINK_MSG, GR_HARDLINK_FLD, + gr_to_filename(dentry, mnt), + inode->i_uid, inode->i_gid, to, DEFAULTSECARGS); + return -EPERM; + } +#endif + return 0; +} diff -urN linux-2.4.20/grsecurity/grsec_mem.c linux-2.4.20/grsecurity/grsec_mem.c --- linux-2.4.20/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_mem.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,47 @@ +#include +#include +#include +#include + +void gr_handle_ioperm(void) +{ + security_alert(GR_IOPERM_MSG, GR_IOPERM_FLD, DEFAULTSECARGS); + return; +} + +void gr_handle_iopl(void) +{ + security_alert(GR_IOPL_MSG, GR_IOPL_FLD, DEFAULTSECARGS); + return; +} + +void gr_handle_mem_write(void) +{ + security_alert(GR_MEM_WRITE_MSG, GR_MEM_WRITE_FLD, DEFAULTSECARGS); + return; +} + +void gr_handle_kmem_write(void) +{ + security_alert(GR_KMEM_MSG, GR_KMEM_FLD, DEFAULTSECARGS); + return; +} + +void gr_handle_open_port(void) +{ + security_alert(GR_PORT_OPEN_MSG, GR_PORT_OPEN_FLD, DEFAULTSECARGS); + return; +} + +int gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma) +{ + if (offset < __pa(high_memory) && + (pgprot_val(vma->vm_page_prot) & PROT_WRITE) && + (offset != 0xa0000 || ((vma->vm_end - vma->vm_start) > 0x20000))) { + security_alert(GR_MEM_MMAP_MSG, GR_MEM_MMAP_FLD, DEFAULTSECARGS); + return -EPERM; + } else if (offset < __pa(high_memory)) + vma->vm_flags &= ~VM_MAYWRITE; + + return 0; +} diff -urN linux-2.4.20/grsecurity/grsec_mount.c linux-2.4.20/grsecurity/grsec_mount.c --- linux-2.4.20/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_mount.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,36 @@ +#include +#include +#include +#include + +void gr_log_remount(const char *devname, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_REMOUNT_AUDIT_MSG, + devname, DEFAULTSECARGS); +#endif + return; +} + + +void gr_log_unmount(const char *devname, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_UNMOUNT_AUDIT_MSG, + devname, DEFAULTSECARGS); +#endif + return; +} + +void gr_log_mount(const char *from, const char *to, const int retval) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if (grsec_enable_mount && (retval >= 0)) + security_audit(GR_MOUNT_AUDIT_MSG, + from, to, DEFAULTSECARGS); +#endif + return; +} + diff -urN linux-2.4.20/grsecurity/grsec_rand.c linux-2.4.20/grsecurity/grsec_rand.c --- linux-2.4.20/grsecurity/grsec_rand.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_rand.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,33 @@ +#include +#include +#include +#include +#include + +int gr_random_pid(spinlock_t *pid_lock) +{ +#ifdef CONFIG_GRKERNSEC_RANDPID + struct task_struct *p; + int pid; + + if (grsec_enable_randpid && current->fs->root) { + read_lock(&tasklist_lock); + spin_lock(pid_lock); + + repeater: + + pid = 1 + (arc4random() % PID_MAX); + + for_each_task(p) { + if (p->pid == pid || p->pgrp == pid || + p->tgid == pid || p->session == pid) + goto repeater; + } + spin_unlock(pid_lock); + read_unlock(&tasklist_lock); + return pid; + } +#endif + return 0; +} + diff -urN linux-2.4.20/grsecurity/grsec_sig.c linux-2.4.20/grsecurity/grsec_sig.c --- linux-2.4.20/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_sig.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,39 @@ +#include +#include +#include + +void gr_log_signal(const int sig, const struct task_struct *t) +{ +#ifdef CONFIG_GRKERNSEC_SIGNAL + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) || + (sig == SIGABRT) || (sig == SIGBUS))) { + if (t->pid == current->pid) { + security_alert_good(GR_UNISIGLOG_MSG, GR_UNISIGLOG_FLD, + sig, DEFAULTSECARGS); + } else { + security_alert_good(GR_DUALSIGLOG_MSG, GR_DUALSIGLOG_FLD, + sig, t->comm, t->pid, t->uid, t->euid, + t->p_pptr->comm, t->p_pptr->pid, + t->p_pptr->uid, t->p_pptr->euid, + DEFAULTSECARGS); + } + } +#endif + return; +} + +int gr_handle_signal(const struct task_struct *p, const int sig) +{ +#ifdef CONFIG_GRKERNSEC + if (current->pid > 1 && gr_check_protected_task(p)) { + security_alert(GR_SIG_ACL_MSG, GR_SIG_ACL_FLD, + sig, p->comm, p->pid, p->uid, p->euid, + p->p_pptr->comm, p->p_pptr->pid, p->p_pptr->uid, + p->p_pptr->euid, DEFAULTSECARGS); + return -EPERM; + } else if (gr_pid_is_chrooted(p)) { + return -EPERM; + } +#endif + return 0; +} diff -urN linux-2.4.20/grsecurity/grsec_sock.c linux-2.4.20/grsecurity/grsec_sock.c --- linux-2.4.20/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_sock.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,113 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +void gr_attach_curr_ip(const struct sock *sk) +{ +#ifdef CONFIG_GRKERNSEC + struct task_struct *p; + unsigned int i; + struct inode *inode; + struct file *filp; + struct socket *connect_sock; + + if (unlikely(sk->protocol != IPPROTO_TCP)) + return; + + read_lock(&tasklist_lock); + for_each_task(p) { + if (!p->used_connect) continue; + task_lock(p); + if (unlikely(!p->files)) { + task_unlock(p); + continue; + } + read_lock(&p->files->file_lock); + for(i = 0; i < p->files->max_fds; i++) { + filp = fcheck_files(p->files, i); + if (likely(!filp)) continue; + inode = filp->f_dentry->d_inode; + if (likely(!inode || !inode->i_sock)) continue; + connect_sock = &inode->u.socket_i; + if (unlikely(!connect_sock || + connect_sock->sk->protocol != IPPROTO_TCP)) + continue; + if (unlikely(sk->rcv_saddr == connect_sock->sk->daddr && + sk->daddr == connect_sock->sk->rcv_saddr && + ntohs(sk->sport) == ntohs(connect_sock->sk->dport) && + ntohs(sk->dport) == ntohs(connect_sock->sk->sport))) { + current->curr_ip = p->curr_ip; + current->used_accept = 1; + read_unlock(&p->files->file_lock); + task_unlock(p); + read_unlock(&tasklist_lock); + return; + } + } + read_unlock(&p->files->file_lock); + task_unlock(p); + } + read_unlock(&tasklist_lock); + + current->curr_ip = sk->daddr; + current->used_accept = 1; +#endif + return; +} + +int gr_handle_sock_all(const int family, const int type, const int protocol) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) && + (family != AF_UNIX) && (family != AF_LOCAL)) { + security_alert(GR_SOCK_MSG, GR_SOCK_FLD, family, type, + protocol, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int gr_handle_sock_server(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + security_alert(GR_BIND_MSG, GR_BIND_FLD, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +int gr_handle_sock_client(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + security_alert(GR_CONNECT_MSG, GR_CONNECT_FLD, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} + +__u32 gr_cap_rtnetlink(void) +{ +#ifdef CONFIG_GRKERNSEC + if (!gr_acl_is_enabled()) + return current->cap_effective; + else + return (current->cap_effective & ~(current->acl->cap_lower)); +#else + return current->cap_effective; +#endif +} diff -urN linux-2.4.20/grsecurity/grsec_sysctl.c linux-2.4.20/grsecurity/grsec_sysctl.c --- linux-2.4.20/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_sysctl.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,17 @@ +#include +#include +#include +#include + +int gr_handle_sysctl_mod(const char *name, ctl_table *table, const int op) +{ +#ifdef CONFIG_GRKERNSEC + if (!strcmp(name, "grsecurity") && grsec_lock + && (table->ctl_name != 1) && (op & 002)) { + security_alert(GR_SYSCTL_MSG, GR_SYSCTL_FLD, + name, DEFAULTSECARGS); + return -EACCES; + } +#endif + return 0; +} diff -urN linux-2.4.20/grsecurity/grsec_time.c linux-2.4.20/grsecurity/grsec_time.c --- linux-2.4.20/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_time.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,13 @@ +#include +#include +#include + +void gr_log_timechange(void) +{ +#ifdef CONFIG_GRKERNSEC_TIME + if (grsec_enable_time) + security_alert_good(GR_TIME_MSG, GR_TIME_FLD, DEFAULTSECARGS); +#endif + return; +} + diff -urN linux-2.4.20/grsecurity/grsec_tpe.c linux-2.4.20/grsecurity/grsec_tpe.c --- linux-2.4.20/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsec_tpe.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,33 @@ +#include +#include +#include +#include +#include + +int gr_tpe_allow(const struct file * file) +{ +#ifdef CONFIG_GRKERNSEC_TPE + struct inode * inode = file->f_dentry->d_parent->d_inode; + + if(current->uid && grsec_enable_tpe && in_group_p(grsec_tpe_gid) && + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) || + (inode->i_mode & S_IWOTH))))) { + security_alert(GR_EXEC_TPE_MSG, GR_EXEC_TPE_FLD, + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } + +#ifdef CONFIG_GRKERNSEC_TPE_ALL + if(current->uid && grsec_enable_tpe && grsec_enable_tpe_all && + ((inode->i_uid && (inode->i_uid != current->uid)) || + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) { + security_alert(GR_EXEC_TPE_MSG, GR_EXEC_TPE_FLD, + gr_to_filename(file->f_dentry, file->f_vfsmnt), + DEFAULTSECARGS); + return 0; + } +#endif +#endif + return 1; +} diff -urN linux-2.4.20/grsecurity/grsum.c linux-2.4.20/grsecurity/grsum.c --- linux-2.4.20/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/grsum.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,241 @@ +#include +#include +#include + +/* digest-sha256.c,v 1.13 2002/10/02 22:02:08 hvr Exp $ + * + * SHA-256 code by Jean-Luc Cooke . + * + * Glue code originally by Andrew McDonald and Alan Smithee, mailed + * to maintainer on pulped trees. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + */ + +typedef struct { + __u32 state[8]; + __u32 count[2]; + __u8 buf[128]; +} sha256_ctx_t; + +static __inline__ +__u32 generic_rotr32 (const __u32 x, const unsigned bits) +{ + const unsigned n = bits % 32; + return (x >> n) | (x << (32 - n)); +} + +#define Ch(x,y,z) ((x & y) ^ (~x & z)) +#define Maj(x,y,z) ((x & y) ^ ( x & z) ^ (y & z)) +#define RORu32(x,y) generic_rotr32(x, y) +#define e0(x) (RORu32(x, 2) ^ RORu32(x,13) ^ RORu32(x,22)) +#define e1(x) (RORu32(x, 6) ^ RORu32(x,11) ^ RORu32(x,25)) +#define s0(x) (RORu32(x, 7) ^ RORu32(x,18) ^ (x >> 3)) +#define s1(x) (RORu32(x,17) ^ RORu32(x,19) ^ (x >> 10)) + +#define H0 0x6a09e667 +#define H1 0xbb67ae85 +#define H2 0x3c6ef372 +#define H3 0xa54ff53a +#define H4 0x510e527f +#define H5 0x9b05688c +#define H6 0x1f83d9ab +#define H7 0x5be0cd19 + +const static __u32 sha256_K[64] = { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, + 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, + 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, + 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, + 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, + 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, + 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, + 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 +}; + +#define LOAD_OP(I)\ + {\ + t1 = input[(4*I) ] & 0xff; t1<<=8;\ + t1 |= input[(4*I)+1] & 0xff; t1<<=8;\ + t1 |= input[(4*I)+2] & 0xff; t1<<=8;\ + t1 |= input[(4*I)+3] & 0xff;\ + W[I] = t1;\ + } + +#define BLEND_OP(I) W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16]; + +static void +SHA256Transform(__u32 *state, const __u8 *input) +{ + __u32 a, b, c, d, e, f, g, h, t1, t2; + __u32 W[64]; + + int i; + + /* load the input */ + LOAD_OP( 0); LOAD_OP( 1); LOAD_OP( 2); LOAD_OP( 3); + LOAD_OP( 4); LOAD_OP( 5); LOAD_OP( 6); LOAD_OP( 7); + LOAD_OP( 8); LOAD_OP( 9); LOAD_OP(10); LOAD_OP(11); + LOAD_OP(12); LOAD_OP(13); LOAD_OP(14); LOAD_OP(15); + + /* now blend */ + for (i=16; i<64; i+=8) { + BLEND_OP(i ); BLEND_OP(i+1); BLEND_OP(i+2); BLEND_OP(i+3); + BLEND_OP(i+4); BLEND_OP(i+5); BLEND_OP(i+6); BLEND_OP(i+7); + } + + /* load the state into our registers */ + a=state[0]; b=state[1]; c=state[2]; d=state[3]; + e=state[4]; f=state[5]; g=state[6]; h=state[7]; + + /* now iterate */ + for (i=0; i<64; i+=8) { + t1 = h + e1(e) + Ch(e,f,g) + sha256_K[i ] + W[i ]; + t2 = e0(a) + Maj(a,b,c); d+=t1; h=t1+t2; + t1 = g + e1(d) + Ch(d,e,f) + sha256_K[i+1] + W[i+1]; + t2 = e0(h) + Maj(h,a,b); c+=t1; g=t1+t2; + t1 = f + e1(c) + Ch(c,d,e) + sha256_K[i+2] + W[i+2]; + t2 = e0(g) + Maj(g,h,a); b+=t1; f=t1+t2; + t1 = e + e1(b) + Ch(b,c,d) + sha256_K[i+3] + W[i+3]; + t2 = e0(f) + Maj(f,g,h); a+=t1; e=t1+t2; + t1 = d + e1(a) + Ch(a,b,c) + sha256_K[i+4] + W[i+4]; + t2 = e0(e) + Maj(e,f,g); h+=t1; d=t1+t2; + t1 = c + e1(h) + Ch(h,a,b) + sha256_K[i+5] + W[i+5]; + t2 = e0(d) + Maj(d,e,f); g+=t1; c=t1+t2; + t1 = b + e1(g) + Ch(g,h,a) + sha256_K[i+6] + W[i+6]; + t2 = e0(c) + Maj(c,d,e); f+=t1; b=t1+t2; + t1 = a + e1(f) + Ch(f,g,h) + sha256_K[i+7] + W[i+7]; + t2 = e0(b) + Maj(b,c,d); e+=t1; a=t1+t2; + } + + state[0] += a; state[1] += b; state[2] += c; state[3] += d; + state[4] += e; state[5] += f; state[6] += g; state[7] += h; + + /* clear any sensitive info... */ + a = b = c = d = e = f = g = h = t1 = t2 = 0; + memset(W, 0, 64 * sizeof(__u32)); +} + +static void +SHA256Init(sha256_ctx_t *C) { + C->state[0] = H0; + C->state[1] = H1; + C->state[2] = H2; + C->state[3] = H3; + C->state[4] = H4; + C->state[5] = H5; + C->state[6] = H6; + C->state[7] = H7; + C->count[0] = C->count[1] = 0; + memset(C->buf, 0, 128); +} + +static void +SHA256Update(sha256_ctx_t *C, const __u8 *input, __u32 inputLen) +{ + __u32 i, index, partLen; + + /* Compute number of bytes mod 128 */ + index = (__u32)((C->count[0] >> 3) & 0x3f); + + /* Update number of bits */ + if ((C->count[0] += (inputLen << 3)) < (inputLen << 3)) { + C->count[1]++; + C->count[1] += (inputLen >> 29); + } + + partLen = 64 - index; + + /* Transform as many times as possible. */ + if (inputLen >= partLen) { + memcpy(&C->buf[index], input, partLen); + SHA256Transform(C->state, C->buf); + + for (i = partLen; i + 63 < inputLen; i += 64) + SHA256Transform(C->state, &input[i]); + index = 0; + } else { + i = 0; + } + + /* Buffer remaining input */ + memcpy(&C->buf[index], &input[i], inputLen-i); +} + +static void +SHA256Final(sha256_ctx_t *C, __u8 *digest) +{ + const static __u8 padding[64] = { 0x80, }; + __u8 bits[8]; + __u32 t, index, padLen; + int i, j; + + /* Save number of bits */ + t = C->count[0]; + bits[7] = t; t >>= 8; + bits[6] = t; t >>= 8; + bits[5] = t; t >>= 8; + bits[4] = t; + t = C->count[1]; + bits[3] = t; t >>= 8; + bits[2] = t; t >>= 8; + bits[1] = t; t >>= 8; + bits[0] = t; + + /* Pad out to 56 mod 64. */ + index = (C->count[0] >> 3) & 0x3f; + padLen = (index < 56) ? (56 - index) : ((64+56) - index); + SHA256Update(C, padding, padLen); + + /* Append length (before padding) */ + SHA256Update(C, bits, sizeof(bits)); + + /* Store state in digest */ + for (i = j = 0; i < 8; i++, j += 4) { + t = C->state[i]; + digest[j+3] = t; t >>= 8; + digest[j+2] = t; t >>= 8; + digest[j+1] = t; t >>= 8; + digest[j ] = t; + } + + /* Zeroize sensitive information. */ + memset(C, 0, sizeof(sha256_ctx_t)); +} + +int +chkpw(struct gr_arg *entry, struct admin_pw * pwent) +{ + sha256_ctx_t context; + unsigned char temp_sum[GR_SHA_LEN]; + volatile int retval = 0; + volatile int dummy = 0; + unsigned int i; + + SHA256Init(&context); + SHA256Update(&context, pwent->salt, GR_SALT_LEN); + SHA256Update(&context, entry->pw, strlen(entry->pw)); + SHA256Final(&context, temp_sum); + + memset(entry->pw, 0, GR_PW_LEN); + + for(i = 0; i < GR_SHA_LEN; i++) + if(pwent->sum[i] != temp_sum[i]) + retval = 1; + else + dummy = 1; // waste a cycle + + return retval; +} diff -urN linux-2.4.20/grsecurity/obsd_rand.c linux-2.4.20/grsecurity/obsd_rand.c --- linux-2.4.20/grsecurity/obsd_rand.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/grsecurity/obsd_rand.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,286 @@ + +/* + * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff. + * + * Version 1.89, last modified 19-Sep-99 + * + * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. + * All rights reserved. + * + * Copyright 1998 Niels Provos + * All rights reserved. + * Theo de Raadt came up with the idea of using + * such a mathematical system to generate more random (yet non-repeating) + * ids to solve the resolver/named problem. But Niels designed the + * actual system based on the constraints. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer, + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include + +#define RU_OUT 180 +#define RU_MAX 30000 +#define RU_GEN 2 +#define RU_N 32749 +#define RU_AGEN 7 +#define RU_M 31104 +#define PFAC_N 3 +const static __u16 pfacts[PFAC_N] = { 2,3,2729 }; + +static __u16 ru_x; +static __u16 ru_seed, ru_seed2; +static __u16 ru_a, ru_b; +static __u16 ru_g; +static __u16 ru_counter = 0; +static __u16 ru_msb = 0; +static unsigned long ru_reseed = 0; +static __u32 tmp; + +static struct arc4_stream { + __u8 s[256]; + unsigned int cnt; + __u8 i; + __u8 j; +} arc4random_state[NR_CPUS]; + +#define TCP_RNDISS_ROUNDS 15 +#define TCP_RNDISS_OUT 7200 +#define TCP_RNDISS_MAX 30000 + +static __u8 tcp_rndiss_sbox[NR_CPUS][128]; +static __u16 tcp_rndiss_msb[NR_CPUS]; +static __u16 tcp_rndiss_cnt[NR_CPUS]; +static unsigned long tcp_rndiss_reseed[NR_CPUS]; + +static unsigned long arc4random_reseed[NR_CPUS]; + +static int arc4random_initialized[NR_CPUS]; + +static __u16 pmod(__u16, __u16, __u16); +static void ip_initid (void); +__u16 ip_randomid (void); + +static __inline__ __u8 arc4_getbyte(void); +static __inline__ void arc4_stir(void); +static void arc4maybeinit(void); +__u32 arc4random(void); + +static __inline__ __u8 arc4_getbyte(void) +{ + register __u8 si, sj; + int cpu = smp_processor_id(); + + arc4random_state[cpu].cnt++; + arc4random_state[cpu].i++; + si = arc4random_state[cpu].s[arc4random_state[cpu].i]; + arc4random_state[cpu].j += si; + sj = arc4random_state[cpu].s[arc4random_state[cpu].j]; + arc4random_state[cpu].s[arc4random_state[cpu].i] = sj; + arc4random_state[cpu].s[arc4random_state[cpu].j] = si; + return arc4random_state[cpu].s[(si + sj) & 0xff]; +} + +static __inline__ void arc4_stir(void) +{ + __u8 buf[256]; + register __u8 si; + register int n; + int len = sizeof(buf); + int cpu = smp_processor_id(); + unsigned long flags; + + do_gettimeofday((struct timeval *) buf); + get_random_bytes(buf + sizeof (struct timeval), len - sizeof(struct timeval)); + + save_flags(flags); + cli(); + + arc4random_state[cpu].i--; + for (n = 0; n < 256; n++) { + arc4random_state[cpu].i++; + si = arc4random_state[cpu].s[arc4random_state[cpu].i]; + arc4random_state[cpu].j += si + buf[n % len]; + arc4random_state[cpu].s[arc4random_state[cpu].i] = + arc4random_state[cpu].s[arc4random_state[cpu].j]; + arc4random_state[cpu].s[arc4random_state[cpu].j] = si; + } + arc4random_state[cpu].j = arc4random_state[cpu].i; + arc4random_state[cpu].cnt = 0; + + restore_flags(flags); + + for (n = 0; n < 256 * 4; n++) + arc4_getbyte(); + + return; +} + +void arc4_init(void) +{ + int i, n; + + for (n = 0; n < NR_CPUS; n++) { + for (i = 0; i < 256; i++) + arc4random_state[n].s[i] = i; + arc4random_initialized[n] = 0; + } +} + +static void arc4maybeinit(void) +{ + int cpu = smp_processor_id(); + + if (arc4random_initialized[cpu] && + time_after(xtime.tv_sec, arc4random_reseed[cpu])) + arc4random_initialized[cpu] = 0; + + if (!arc4random_initialized[cpu]) { + arc4random_initialized[cpu]++; + arc4_stir(); + arc4random_reseed[cpu] = xtime.tv_sec + (10 * 60); + } +} + +__u32 arc4random(void) +{ + arc4maybeinit(); + return ((arc4_getbyte() << 24) | (arc4_getbyte() << 16) + | (arc4_getbyte() << 8) | arc4_getbyte()); +} + +static __u16 pmod(__u16 gen, __u16 exp, __u16 mod) +{ + __u16 s, t, u; + + s = 1; + t = gen; + u = exp; + + while(u) { + if (u & 1) + s = (s*t) % mod; + u >>=1; + t = (t*t) % mod; + } + return(s); +} + +static void ip_initid (void) +{ + __u16 j, i; + int noprime = 1; + + ru_x = ((tmp = arc4random()) & 0xFFFF) %RU_M; + + ru_seed = (tmp >> 16) & 0x7FFF; + ru_seed2 = arc4random() & 0x7FFF; + + ru_b = ((tmp = arc4random()) & 0xfffe) | 1; + ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M); + while (ru_b % 3 == 0) + ru_b += 2; + + j = (tmp = arc4random()) % RU_N; + tmp = tmp >> 16; + + while (noprime) { + for (i = 0; i < PFAC_N; i++) + if (j % pfacts[i] == 0) + break; + + if (i >= PFAC_N) + noprime = 0; + else + j = (j+1) % RU_N; + } + + ru_g = pmod(RU_GEN,j,RU_N); + ru_counter = 0; + + ru_reseed = xtime.tv_sec + RU_OUT; + ru_msb = ru_msb == 0x8000 ? 0 : 0x8000; +} + +__u16 ip_randomid (void) +{ + int i, n; + + if (ru_counter >= RU_MAX || time_after(xtime.tv_sec, ru_reseed)) + ip_initid(); + + if (!tmp) + tmp = arc4random(); + + n = tmp & 0x3; tmp = tmp >> 2; + if (ru_counter + n >= RU_MAX) + ip_initid(); + for (i=0; i <= n; i++) + ru_x = (ru_a*ru_x + ru_b) % RU_M; + ru_counter += i; + + return ((ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x, RU_N)) | ru_msb); +} + +__u16 tcp_rndiss_encrypt(__u16 val) +{ + __u16 sum = 0, i; + int cpu = smp_processor_id(); + + for (i = 0; i < TCP_RNDISS_ROUNDS; i++) { + sum += 0x79b9; + val ^= ((__u16)tcp_rndiss_sbox[cpu][(val^sum) ^ 0x7f]) << 7; + val = ((val & 0xff) << 7) | (val >> 8); + } + + return val; +} + +static void tcp_rndiss_init(void) +{ + int cpu = smp_processor_id(); + + get_random_bytes(tcp_rndiss_sbox[cpu], sizeof(tcp_rndiss_sbox)); + tcp_rndiss_reseed[cpu] = xtime.tv_sec + TCP_RNDISS_OUT; + tcp_rndiss_msb[cpu] = tcp_rndiss_msb[cpu] == 0x8000 ? 0 : 0x8000; + tcp_rndiss_cnt[cpu] = 0; +} + +__u32 ip_randomisn(void) +{ + int cpu = smp_processor_id(); + + if (tcp_rndiss_cnt[cpu] >= TCP_RNDISS_MAX || + time_after(xtime.tv_sec, tcp_rndiss_reseed[cpu])) + tcp_rndiss_init(); + + return (((tcp_rndiss_encrypt(tcp_rndiss_cnt[cpu]++) | tcp_rndiss_msb[cpu]) << 16) | + (arc4random() & 0x7fff)); +} diff -urN linux-2.4.20/include/asm-i386/a.out.h linux-2.4.20/include/asm-i386/a.out.h --- linux-2.4.20/include/asm-i386/a.out.h 1995-06-16 14:33:06.000000000 -0400 +++ linux-2.4.20/include/asm-i386/a.out.h 2003-02-12 23:36:37.000000000 -0500 @@ -19,7 +19,19 @@ #ifdef __KERNEL__ -#define STACK_TOP TASK_SIZE +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +#define __STACK_TOP ((current->flags & PF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE) +#else +#define __STACK_TOP TASK_SIZE +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDUSTACK +#define __DELTA_STACK (current->mm->delta_stack) +#else +#define __DELTA_STACK 0UL +#endif + +#define STACK_TOP (__STACK_TOP - __DELTA_STACK) #endif diff -urN linux-2.4.20/include/asm-i386/desc.h linux-2.4.20/include/asm-i386/desc.h --- linux-2.4.20/include/asm-i386/desc.h 2001-07-26 16:40:32.000000000 -0400 +++ linux-2.4.20/include/asm-i386/desc.h 2003-02-12 23:36:37.000000000 -0500 @@ -46,7 +46,8 @@ }; extern struct desc_struct gdt_table[]; -extern struct desc_struct *idt, *gdt; +extern struct desc_struct gdt_table2[]; +extern struct desc_struct *idt, *gdt, *gdt2; struct Xgt_desc_struct { unsigned short size; @@ -55,6 +56,7 @@ #define idt_descr (*(struct Xgt_desc_struct *)((char *)&idt - 2)) #define gdt_descr (*(struct Xgt_desc_struct *)((char *)&gdt - 2)) +#define gdt_descr2 (*(struct Xgt_desc_struct *)((char *)&gdt2 - 2)) #define load_TR(n) __asm__ __volatile__("ltr %%ax"::"a" (__TSS(n)<<3)) diff -urN linux-2.4.20/include/asm-i386/elf.h linux-2.4.20/include/asm-i386/elf.h --- linux-2.4.20/include/asm-i386/elf.h 2001-11-22 14:48:29.000000000 -0500 +++ linux-2.4.20/include/asm-i386/elf.h 2003-02-12 23:36:37.000000000 -0500 @@ -55,7 +55,11 @@ the loader. We need to make sure that it is out of the way of the program that it will "exec", and that there is sufficient room for the brk. */ +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +#define ELF_ET_DYN_BASE ((current->flags & PF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE/3*2:TASK_SIZE/3*2) +#else #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) +#endif /* Wow, the "main" arch needs arch dependent functions too.. :) */ diff -urN linux-2.4.20/include/asm-i386/mman.h linux-2.4.20/include/asm-i386/mman.h --- linux-2.4.20/include/asm-i386/mman.h 2000-03-14 20:45:20.000000000 -0500 +++ linux-2.4.20/include/asm-i386/mman.h 2003-02-12 23:36:37.000000000 -0500 @@ -18,6 +18,10 @@ #define MAP_LOCKED 0x2000 /* pages are locked */ #define MAP_NORESERVE 0x4000 /* don't check for reservations */ +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +#define MAP_MIRROR 0x8000 +#endif + #define MS_ASYNC 1 /* sync memory asynchronously */ #define MS_INVALIDATE 2 /* invalidate the caches */ #define MS_SYNC 4 /* synchronous memory sync */ diff -urN linux-2.4.20/include/asm-i386/pgtable.h linux-2.4.20/include/asm-i386/pgtable.h --- linux-2.4.20/include/asm-i386/pgtable.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/asm-i386/pgtable.h 2003-02-12 23:36:37.000000000 -0500 @@ -205,6 +205,16 @@ #define PAGE_COPY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC +#define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED) +#define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#else +#define PAGE_SHARED_NOEXEC PAGE_SHARED +#define PAGE_COPY_NOEXEC PAGE_COPY +#define PAGE_READONLY_NOEXEC PAGE_READONLY +#endif + #define __PAGE_KERNEL \ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED) #define __PAGE_KERNEL_NOCACHE \ @@ -237,18 +247,18 @@ * This is the closest we can get.. */ #define __P000 PAGE_NONE -#define __P001 PAGE_READONLY -#define __P010 PAGE_COPY -#define __P011 PAGE_COPY +#define __P001 PAGE_READONLY_NOEXEC +#define __P010 PAGE_COPY_NOEXEC +#define __P011 PAGE_COPY_NOEXEC #define __P100 PAGE_READONLY #define __P101 PAGE_READONLY #define __P110 PAGE_COPY #define __P111 PAGE_COPY #define __S000 PAGE_NONE -#define __S001 PAGE_READONLY -#define __S010 PAGE_SHARED -#define __S011 PAGE_SHARED +#define __S001 PAGE_READONLY_NOEXEC +#define __S010 PAGE_SHARED_NOEXEC +#define __S011 PAGE_SHARED_NOEXEC #define __S100 PAGE_READONLY #define __S101 PAGE_READONLY #define __S110 PAGE_SHARED diff -urN linux-2.4.20/include/asm-i386/processor.h linux-2.4.20/include/asm-i386/processor.h --- linux-2.4.20/include/asm-i386/processor.h 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/include/asm-i386/processor.h 2003-02-12 23:36:37.000000000 -0500 @@ -271,10 +271,19 @@ */ #define TASK_SIZE (PAGE_OFFSET) +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +#define SEGMEXEC_TASK_SIZE ((PAGE_OFFSET) / 2) +#endif + /* This decides where the kernel will search for a free chunk of vm * space during mmap's. */ + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +#define TASK_UNMAPPED_BASE ((current->flags & PF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE/3:TASK_SIZE/3) +#else #define TASK_UNMAPPED_BASE (TASK_SIZE / 3) +#endif /* * Size of io_bitmap in longwords: 32 is ports 0-0x3ff. diff -urN linux-2.4.20/include/asm-i386/system.h linux-2.4.20/include/asm-i386/system.h --- linux-2.4.20/include/asm-i386/system.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/asm-i386/system.h 2003-02-12 23:36:37.000000000 -0500 @@ -12,6 +12,8 @@ struct task_struct; /* one of the stranger aspects of C forward declarations.. */ extern void FASTCALL(__switch_to(struct task_struct *prev, struct task_struct *next)); +void pax_reload_gdt(struct task_struct *); + #define prepare_to_switch() do { } while(0) #define switch_to(prev,next,last) do { \ asm volatile("pushl %%esi\n\t" \ diff -urN linux-2.4.20/include/asm-sparc64/a.out.h linux-2.4.20/include/asm-sparc64/a.out.h --- linux-2.4.20/include/asm-sparc64/a.out.h 2001-04-27 01:17:26.000000000 -0400 +++ linux-2.4.20/include/asm-sparc64/a.out.h 2003-02-12 23:36:37.000000000 -0500 @@ -95,7 +95,14 @@ #ifdef __KERNEL__ -#define STACK_TOP (current->thread.flags & SPARC_FLAG_32BIT ? 0xf0000000 : 0x80000000000L) +#ifdef CONFIG_GRKERNSEC_PAX_RANDUSTACK +#define __DELTA_STACK (current->mm->delta_stack) +#else +#define __DELTA_STACK 0UL +#endif + +#define __STACK_TOP (current->thread.flags & SPARC_FLAG_32BIT ? 0xf0000000 : 0x80000000000L) +#define STACK_TOP (__STACK_TOP - __DELTA_STACK) #endif diff -urN linux-2.4.20/include/linux/a.out.h linux-2.4.20/include/linux/a.out.h --- linux-2.4.20/include/linux/a.out.h 2001-11-22 14:46:18.000000000 -0500 +++ linux-2.4.20/include/linux/a.out.h 2003-02-12 23:36:37.000000000 -0500 @@ -37,6 +37,14 @@ M_MIPS2 = 152 /* MIPS R6000/R4000 binary */ }; +/* Constants for the N_FLAGS field */ +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */ +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */ +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */ +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */ +#define F_PAX_RANDEXEC 16 /* Randomize ET_EXEC base */ +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */ + #if !defined (N_MAGIC) #define N_MAGIC(exec) ((exec).a_info & 0xffff) #endif diff -urN linux-2.4.20/include/linux/binfmts.h linux-2.4.20/include/linux/binfmts.h --- linux-2.4.20/include/linux/binfmts.h 2001-11-22 14:46:19.000000000 -0500 +++ linux-2.4.20/include/linux/binfmts.h 2003-02-12 23:36:37.000000000 -0500 @@ -1,6 +1,7 @@ #ifndef _LINUX_BINFMTS_H #define _LINUX_BINFMTS_H +#include #include #include diff -urN linux-2.4.20/include/linux/elf.h linux-2.4.20/include/linux/elf.h --- linux-2.4.20/include/linux/elf.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/linux/elf.h 2003-02-12 23:36:37.000000000 -0500 @@ -117,6 +117,8 @@ #define DT_DEBUG 21 #define DT_TEXTREL 22 #define DT_JMPREL 23 +#define DT_FLAGS 30 +#define DF_TEXTREL 0x00000004 #define DT_LOPROC 0x70000000 #define DT_HIPROC 0x7fffffff #define DT_MIPS_RLD_VERSION 0x70000001 @@ -255,6 +257,13 @@ #define R_MIPS_LOVENDOR 100 #define R_MIPS_HIVENDOR 127 +/* Constants for the e_flags field */ +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */ +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */ +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */ +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */ +#define EF_PAX_RANDEXEC 16 /* Randomize ET_EXEC base */ +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */ /* * Sparc ELF relocation types @@ -550,6 +559,8 @@ #define EI_VERSION 6 #define EI_PAD 7 +#define EI_PAX 14 + #define ELFMAG0 0x7f /* EI_MAG */ #define ELFMAG1 'E' #define ELFMAG2 'L' @@ -597,6 +608,7 @@ #define elfhdr elf32_hdr #define elf_phdr elf32_phdr #define elf_note elf32_note +#define elf_dyn Elf32_Dyn #else @@ -604,6 +616,7 @@ #define elfhdr elf64_hdr #define elf_phdr elf64_phdr #define elf_note elf64_note +#define elf_dyn Elf64_Dyn #endif diff -urN linux-2.4.20/include/linux/fs.h linux-2.4.20/include/linux/fs.h --- linux-2.4.20/include/linux/fs.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/linux/fs.h 2003-02-12 23:36:37.000000000 -0500 @@ -1065,7 +1065,7 @@ asmlinkage long sys_open(const char *, int, int); asmlinkage long sys_close(unsigned int); /* yes, it's really unsigned */ -extern int do_truncate(struct dentry *, loff_t start); +extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *); extern struct file *filp_open(const char *, int, int); extern struct file * dentry_open(struct dentry *, struct vfsmount *, int); diff -urN linux-2.4.20/include/linux/gracl.h linux-2.4.20/include/linux/gracl.h --- linux-2.4.20/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/gracl.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,157 @@ +#ifndef GR_ACL_H +#define GR_ACL_H +#endif +#include +#include + +#include + +/* * * * * * * * * * * * * * * * * * * * * + * grsecurity ACL System + * Main header file + * Purpose: define most gracl data structures + * * * * * * * * * * * * * * * * * * * * */ + +/* Major status information */ + +#define GR_VERSION "grsecurity 1.9.9" + +enum { + + SHUTDOWN = 0, + ENABLE = 1, + GOD = 2, + RELOAD = 3, + SEGVMOD = 4 +}; + +/* Password setup definitions + * kernel/grhash.c */ +enum { + GR_PW_LEN = 128, + GR_SALT_LEN = 16, + GR_SHA_LEN = 32, +}; + +/* Begin Data Structures */ + +struct admin_pw { + unsigned char salt[GR_SALT_LEN]; + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */ +}; + +struct name_entry { + ino_t inode; + kdev_t device; + char *name; +}; + +struct acl_subject_db { + struct acl_subject_label **s_hash; + __u32 s_size; +}; + +struct name_db { + struct name_entry **n_hash; + __u32 n_size; +}; + +struct crash_uid { + uid_t uid; + unsigned long expires; +}; + +/* Userspace Grsecurity ACL data structures */ +struct acl_subject_label { + char * filename; + ino_t inode; + kdev_t device; + __u32 mode; + __u32 cap_raise; + __u32 cap_lower; + + struct rlimit res[RLIM_NLIMITS + 1]; + __u16 resmask; + + __u32 ip_proto[8]; + __u32 ip_type; + struct acl_ip_label ** ips; + __u32 ip_num; + + __u32 crashes; + unsigned long expires; + + struct acl_object_label *proc_object; + struct acl_ip_label *ip_object; + struct acl_subject_label *prev; + struct acl_subject_label *next; + + struct acl_object_label **obj_hash; + __u32 obj_hash_size; +}; + +struct user_acl_subject_db { + struct acl_subject_label **s_table; + __u32 s_entries; /* Number of entries in table */ + __u32 i_entries; /* total number of ip acls */ + __u32 o_entries; /* Total number of object acls */ +}; + +struct acl_object_label { + char * filename; + ino_t inode; + kdev_t device; + __u32 mode; + + /* next two structures not used */ + + struct acl_object_label *prev; + struct acl_object_label *next; +}; + +struct acl_ip_label { + __u32 addr; + __u32 netmask; + __u16 low, high; + __u8 mode; + __u32 type; + __u32 proto[8]; + + /* next two structures not used */ + + struct acl_ip_label *prev; + struct acl_ip_label *next; +}; + +struct gr_arg { + struct user_acl_subject_db subj_db; + unsigned char pw[GR_PW_LEN]; + unsigned char salt[GR_SALT_LEN]; + unsigned char sum[GR_SHA_LEN]; + kdev_t segv_device; + ino_t segv_inode; + uid_t segv_uid; + __u16 mode; + +}; + +/* End Data Structures Section */ + +/* Hash functions generated by empirical testing by Brad Spengler + Makes good use of the low bits of the inode. Generally 0-1 times + in loop for successful match. 0-3 for unsuccessful match. + Shift/add algorithm with modulus of table size and an XOR*/ + + +static __inline__ unsigned long +fhash(const ino_t ino, const kdev_t dev, const unsigned long sz) +{ + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); +} + +static __inline__ unsigned long +nhash(const char *name, const unsigned long sz) +{ + return full_name_hash(name, strlen(name)) % sz; +} + diff -urN linux-2.4.20/include/linux/gralloc.h linux-2.4.20/include/linux/gralloc.h --- linux-2.4.20/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/gralloc.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,8 @@ +#ifndef __GRALLOC_H +#define __GRALLOC_H + +void acl_free_all(void); +int acl_alloc_stack_init(unsigned long size); +void *acl_alloc(unsigned long len); + +#endif diff -urN linux-2.4.20/include/linux/grdefs.h linux-2.4.20/include/linux/grdefs.h --- linux-2.4.20/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/grdefs.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,81 @@ +#ifndef GRDEFS_H +#define GRDEFS_H + +/* Begin grsecurity status declarations */ + +enum { + GR_READY = 0x01, + GR_STATUS_INIT = 0x00 // disabled state +}; + +/* Begin ACL declarations */ + +/* ACL Subject and Object mode flags */ +enum { + GR_DELETED = 0x00000080 +}; + +/* ACL Object-only mode flags */ +enum { + GR_READ = 0x00000001, + GR_APPEND = 0x00000002, + GR_WRITE = 0x00000004, + GR_EXEC = 0x00000008, + GR_FIND = 0x00000010, + GR_INHERIT = 0x00000040, + GR_PTRACERD = 0x00000100, + GR_AUDIT_READ = 0x00000200, + GR_AUDIT_APPEND = 0x00000400, + GR_AUDIT_WRITE = 0x00001000, + GR_AUDIT_EXEC = 0x00002000, + GR_AUDIT_FIND = 0x00004000, + GR_AUDIT_INHERIT = 0x00008000, + GR_AUDIT_PTRACERD= 0x00010000 +}; + +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \ + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_PTRACERD) + +/* ACL subject-only mode flags */ +enum { + GR_KILL = 0x00000001, + GR_VIEW = 0x00000002, + GR_PROTECTED = 0x00000100, + GR_LEARN = 0x00000200, + GR_OVERRIDE = 0x00000400, + /* just a placeholder, this mode is only used in userspace */ + GR_DUMMY = 0x00000800, + + GR_PAXPAGE = 0x00001000, + GR_PAXSEGM = 0x00002000, + GR_PAXGCC = 0x00004000, + GR_PAXRANDMMAP = 0x00008000, + GR_PAXRANDEXEC = 0x00010000, + GR_PAXMPROTECT = 0x00020000, + GR_PROTSHM = 0x00040000, + GR_KILLPROC = 0x00080000, + GR_KILLIPPROC = 0x00100000, + /* just a placeholder, this mode is only used in userspace */ + GR_NOTROJAN = 0x00200000, + GR_PROTPROCFD = 0x00400000 +}; + +#define GR_CRASH_RES 11 +#define GR_UIDTABLE_MAX 500 + +/* begin resource learning section */ +enum { + GR_RLIM_CPU_BUMP = 60, + GR_RLIM_FSIZE_BUMP = 50000, + GR_RLIM_DATA_BUMP = 10000, + GR_RLIM_STACK_BUMP = 1000, + GR_RLIM_CORE_BUMP = 10000, + GR_RLIM_RSS_BUMP = 500000, + GR_RLIM_NPROC_BUMP = 1, + GR_RLIM_NOFILE_BUMP = 5, + GR_RLIM_MEMLOCK_BUMP = 50000, + GR_RLIM_AS_BUMP = 500000, + GR_RLIM_LOCKS_BUMP = 2 +}; + +#endif diff -urN linux-2.4.20/include/linux/grinternal.h linux-2.4.20/include/linux/grinternal.h --- linux-2.4.20/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/grinternal.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,177 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + +#ifdef CONFIG_GRKERNSEC + +#include +#include + +extern __u32 gr_search_file(const struct dentry *dentry, const __u32 mode, + const struct vfsmount *mnt); +extern __u32 gr_check_create(const struct dentry *new_dentry, + const struct dentry *parent, + const struct vfsmount *mnt, const __u32 mode); +extern int gr_check_protected_task(const struct task_struct *task); +extern __inline__ __u32 to_gr_audit(const __u32 reqmode); +extern int gr_handle_rename(struct inode * old_dir, struct inode * new_dir, + struct dentry * old_dentry, + struct dentry * new_dentry, + struct vfsmount * mnt, const __u8 replace); +extern int gr_set_acls(const int type); + +extern void gr_handle_alertkill(void); +extern char *gr_to_filename(const struct dentry *dentry, + const struct vfsmount *mnt); + +extern int grsec_enable_link; +extern int grsec_enable_fifo; +extern int grsec_enable_execve; +extern int grsec_enable_forkbomb; +extern int grsec_forkbomb_gid; +extern int grsec_forkbomb_sec; +extern int grsec_forkbomb_max; +extern int grsec_enable_execlog; +extern int grsec_enable_signal; +extern int grsec_enable_forkfail; +extern int grsec_enable_time; +extern int grsec_enable_chroot_shmat; +extern int grsec_enable_chroot_findtask; +extern int grsec_enable_chroot_mount; +extern int grsec_enable_chroot_double; +extern int grsec_enable_chroot_pivot; +extern int grsec_enable_chroot_chdir; +extern int grsec_enable_chroot_chmod; +extern int grsec_enable_chroot_mknod; +extern int grsec_enable_chroot_fchdir; +extern int grsec_enable_chroot_nice; +extern int grsec_enable_chroot_execlog; +extern int grsec_enable_chroot_caps; +extern int grsec_enable_chroot_sysctl; +extern int grsec_enable_chroot_unix; +extern int grsec_enable_tpe; +extern int grsec_tpe_gid; +extern int grsec_enable_tpe_all; +extern int grsec_enable_sidcaps; +extern int grsec_enable_randpid; +extern int grsec_enable_socket_all; +extern int grsec_socket_all_gid; +extern int grsec_enable_socket_client; +extern int grsec_socket_client_gid; +extern int grsec_enable_socket_server; +extern int grsec_socket_server_gid; +extern int grsec_audit_gid; +extern int grsec_enable_group; +extern int grsec_enable_audit_ipc; +extern int grsec_enable_mount; +extern int grsec_enable_chdir; +extern int grsec_lock; + +extern struct task_struct *child_reaper; + +extern spinlock_t grsec_alert_lock; +extern unsigned long grsec_alert_wtime; +extern unsigned long grsec_alert_fyet; + +extern spinlock_t grsec_alertgood_lock; +extern unsigned long grsec_alertgood_wtime; +extern unsigned long grsec_alertgood_fyet; + +extern spinlock_t grsec_audit_lock; +extern spinlock_t grsec_learn_lock; + +#define proc_is_chrooted(tsk_a) ((tsk_a->fs->root->d_inode->i_dev != \ + child_reaper->fs->root->d_inode->i_dev) || \ + (tsk_a->fs->root->d_inode->i_ino != \ + child_reaper->fs->root->d_inode->i_ino)) + +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \ + tsk_b->fs->root->d_inode->i_dev) && \ + (tsk_a->fs->root->d_inode->i_ino == \ + tsk_b->fs->root->d_inode->i_ino)) + +#define DEFAULTSECARGS current->comm, current->pid, current->uid, \ + current->euid, current->p_pptr->comm, \ + current->p_pptr->pid, current->p_pptr->uid, \ + current->p_pptr->euid + +#define GR_CHROOT_CAPS ( \ + CAP_TO_MASK(CAP_FOWNER) | CAP_TO_MASK(CAP_SYS_RESOURCE) | \ + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \ + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \ + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \ + CAP_TO_MASK(CAP_IPC_OWNER)) + +#define security_alert_good(normal_msg,flood_msg,args...) \ +({ \ + spin_lock(&grsec_alertgood_lock); \ + \ + if (!grsec_alertgood_wtime || jiffies - grsec_alertgood_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \ + grsec_alertgood_wtime = jiffies; grsec_alertgood_fyet = 0; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if((jiffies - grsec_alertgood_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alertgood_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \ + grsec_alertgood_fyet++; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if (grsec_alertgood_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \ + grsec_alertgood_wtime = jiffies; grsec_alertgood_fyet++; \ + printk(KERN_ALERT "grsec: more " flood_msg \ + ", logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \ + } \ + \ + spin_unlock(&grsec_alertgood_lock); \ +}) + +#define security_alert(normal_msg,flood_msg,args...) \ +({ \ + spin_lock(&grsec_alert_lock); \ + \ + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \ + grsec_alert_wtime = jiffies; grsec_alert_fyet = 0; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \ + grsec_alert_fyet++; \ + if (current->curr_ip) \ + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \ + grsec_alert_wtime = jiffies; grsec_alert_fyet++; \ + printk(KERN_ALERT "grsec: more " flood_msg \ + ", logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \ + } \ + \ + gr_handle_alertkill(); \ + spin_unlock(&grsec_alert_lock); \ +}) + +#define security_audit(normal_msg,args...) \ +({ \ + spin_lock(&grsec_audit_lock); \ + if (current->curr_ip) \ + printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \ + NIPQUAD(current->curr_ip) , ## args); \ + else \ + printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \ + spin_unlock(&grsec_audit_lock); \ +}) + +#define security_learn(normal_msg,args...) \ +({ \ + spin_lock(&grsec_learn_lock); \ + printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \ + spin_unlock(&grsec_learn_lock); \ +}) + +#endif + +#endif diff -urN linux-2.4.20/include/linux/grmsg.h linux-2.4.20/include/linux/grmsg.h --- linux-2.4.20/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/grmsg.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,182 @@ +#define DEFAULTSECMSG "(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) UID(%d) EUID(%d)" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " DEFAULTSECMSG +#define GR_PTRACE_ACL_FLD "denied ptraces" +#define GR_IOPERM_MSG "denied use of ioperm() by " DEFAULTSECMSG +#define GR_IOPERM_FLD "denied ioperms" +#define GR_IOPL_MSG "denied use of iopl() by " DEFAULTSECMSG +#define GR_IOPL_FLD "denied iopls" +#define GR_ACL_PIDMEM_MSG "denied access to pid/mem entry of " DEFAULTSECMSG " by " DEFAULTSECMSG +#define GR_ACL_PIDMEM_FLD "denied pid/mem accesses" +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " DEFAULTSECMSG +#define GR_SHMAT_ACL_FLD "denied shared memory attaches" +#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG +#define GR_UNIX_CHROOT_FLD "denied abstract AF_UNIX connects in chroot" +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG +#define GR_SHMAT_CHROOT_FLD "denied shared memory attaches in chroot" +#define GR_KMEM_MSG "attempted write to /dev/kmem by " DEFAULTSECMSG +#define GR_KMEM_FLD "attempted kmem writes" +#define GR_PORT_OPEN_MSG "attempted open of /dev/port by " DEFAULTSECMSG +#define GR_PORT_OPEN_FLD "attempted port opens" +#define GR_MEM_WRITE_MSG "attempted write of /dev/mem by " DEFAULTSECMSG +#define GR_MEM_WRITE_FLD "attempted mem writes" +#define GR_MEM_MMAP_MSG "attempted mmap write of /dev/[k]mem by " DEFAULTSECMSG +#define GR_MEM_MMAP_FLD "attempted mem mmaps" +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by " DEFAULTSECMSG +#define GR_SYMLINK_FLD "symlinks not followed" +#define GR_LEARN_AUDIT_MSG "LEARN:%d:%lu:%lu:%lu:%.950s:%lu" +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by " DEFAULTSECMSG +#define GR_HIDDEN_ACL_FLD "denied hidden file accesses" +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " DEFAULTSECMSG +#define GR_OPEN_ACL_FLD "denied file opens" +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by " DEFAULTSECMSG +#define GR_FIFO_FLD "writes into a FIFO denied" +#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG +#define GR_MKNOD_CHROOT_FLD "mknods in chroot denied" +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by " DEFAULTSECMSG +#define GR_MKNOD_ACL_FLD "denied mknods" +#define GR_UNIXCONNECT_ACL_MSG "%s connect to the unix domain socket %.950s by " DEFAULTSECMSG +#define GR_UNIXCONNECT_ACL_FLD "denied unix domain connects" +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by " DEFAULTSECMSG +#define GR_MKDIR_ACL_FLD "denied mkdirs" +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by " DEFAULTSECMSG +#define GR_RMDIR_ACL_FLD "denied rmdirs" +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by " DEFAULTSECMSG +#define GR_UNLINK_ACL_FLD "denied unlinks" +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by " DEFAULTSECMSG +#define GR_SYMLINK_ACL_FLD "denied symlinks" +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for " DEFAULTSECMSG +#define GR_HARDLINK_FLD "denied hardlinks" +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by " DEFAULTSECMSG +#define GR_LINK_ACL_FLD "denied links" +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by " DEFAULTSECMSG +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by " DEFAULTSECMSG +#define GR_RENAME_ACL_FLD "denied renames" +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " DEFAULTSECMSG +#define GR_PTRACE_EXEC_ACL_FLD "denied ptraces" +#define GR_NPROC_MSG "attempt to overstep process limit by " DEFAULTSECMSG +#define GR_NPROC_FLD "proc limit overstep" +#define GR_EXEC_ACL_MSG "%s execution of %.950s by " DEFAULTSECMSG +#define GR_EXEC_ACL_FLD "denied file execs" +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG +#define GR_EXEC_TPE_FLD "denied untrusted execs" +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning uid %u from login for %lu seconds" +#define GR_SEGVSTART_ACL_FLD "possible exploit bruteforcing" +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning execution of [%.16s:%lu] for %lu seconds" +#define GR_SEGVNOSUID_ACL_FLD "possible exploit bruteforcing" +#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG +#define GR_MOUNT_CHROOT_FLD "denied mounts in chroot" +#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG +#define GR_PIVOT_CHROOT_FLD "denied pivot_roots in chroot" +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by " DEFAULTSECMSG +#define GR_TRUNCATE_ACL_FLD "denied truncations" +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " DEFAULTSECMSG +#define GR_ATIME_ACL_FLD "denied file access time changes" +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " DEFAULTSECMSG +#define GR_ACCESS_ACL_FLD "denied file accesses" +#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG +#define GR_CHROOT_CHROOT_FLD "double chroot denied" +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " DEFAULTSECMSG +#define GR_FCHMOD_ACL_FLD "denied fchmods" +#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG +#define GR_CHMOD_CHROOT_FLD "denied chmod +s in chroot" +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " DEFAULTSECMSG +#define GR_CHMOD_ACL_FLD "denied chmods" +#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG +#define GR_CHROOT_FCHDIR_FLD "attempted fchdirs" +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by " DEFAULTSECMSG +#define GR_CHOWN_ACL_FLD "denied chowns" +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " DEFAULTSECMSG +#define GR_WRITLIB_ACL_FLD "denied writable library loads" +#define GR_INITF_ACL_MSG "init_variables() failed %s" +#define GR_INITF_ACL_FLD "init_variables() failures" +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use gracl=off from your boot loader" +#define GR_DISABLED_ACL_FLD "error loading acls" +#define GR_PROC_ACL_MSG "Proc handler: being fed garbage %d bytes sent %d required" +#define GR_PROC_ACL_FLD "proc garbage" +#define GR_SHUTS_ACL_MSG "shutdown auth success for " DEFAULTSECMSG +#define GR_SHUTS_ACL_FLD "shutdown successes" +#define GR_SHUTF_ACL_MSG "shutdown auth failure for " DEFAULTSECMSG +#define GR_SHUTF_ACL_FLD "shutdown failures" +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled acl for " DEFAULTSECMSG +#define GR_SHUTI_ACL_FLD "ignored shutdowns" +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for " DEFAULTSECMSG +#define GR_SEGVMODS_ACL_FLD "segvmod successes" +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for " DEFAULTSECMSG +#define GR_SEGVMODF_ACL_FLD "segvmod failures" +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled acl for " DEFAULTSECMSG +#define GR_SEGVMODI_ACL_FLD "ignored segvmods" +#define GR_ENABLE_ACL_MSG "Loaded %s" +#define GR_ENABLE_ACL_FLD "grsecurity loads" +#define GR_ENABLEF_ACL_MSG "Unable to load %s for " DEFAULTSECMSG " ACL system may already be enabled." +#define GR_ENABLEF_ACL_FLD "enable failures" +#define GR_RELOADI_ACL_MSG "Ignoring reload request for disabled ACL" +#define GR_RELOADI_ACL_FLD "attempts to reload gracl when disabled" +#define GR_RELOAD_ACL_MSG "Reloaded %s" +#define GR_RELOAD_ACL_FLD "grsecurity reloads" +#define GR_RELOADF_ACL_MSG "Failed reload of %s for " DEFAULTSECMSG +#define GR_RELOADF_ACL_FLD "reload failures" +#define GR_ADMINI_ACL_MSG "Ignoring change to admin mode for disabled acl for " DEFAULTSECMSG +#define GR_ADMINI_ACL_FLD "ignored admin" +#define GR_ADMINS_ACL_MSG "successful change to admin mode by " DEFAULTSECMSG +#define GR_ADMINS_ACL_FLD "changes to admin mode" +#define GR_ADMINL_ACL_MSG "admin mode exited by " DEFAULTSECMSG +#define GR_ADMINL_ACL_FLD "leaving admin mode" +#define GR_ADMINF_ACL_MSG "admin auth failure for " DEFAULTSECMSG +#define GR_ADMINF_ACL_FLD "admin failures" +#define GR_INVMODE_ACL_MSG "Invalid mode %d by " DEFAULTSECMSG +#define GR_INVMODE_ACL_FLD "invalid modes" +#define GR_MAXPW_ACL_MSG "Maximum pw attempts reached (%d), locking password authentication" +#define GR_MAXPW_ACL_FLD "password attempts failed" +#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG +#define GR_PRIORITY_CHROOT_FLD "attempted priority changes" +#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG +#define GR_CAPSET_CHROOT_FLD "denied chroot capsets" +#define GR_FAILFORK_MSG "failed fork with errno %d by " DEFAULTSECMSG +#define GR_FAILFORK_FLD "failed forks" +#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG +#define GR_NICE_CHROOT_FLD "attempted priority changes" +#define GR_UNISIGLOG_MSG "signal %d sent to " DEFAULTSECMSG +#define GR_UNISIGLOG_FLD "signal warnings" +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by " DEFAULTSECMSG +#define GR_DUALSIGLOG_FLD "signal warnings" +#define GR_SIG_ACL_MSG "Attempted send of signal %d to protected task " DEFAULTSECMSG " by " DEFAULTSECMSG +#define GR_SIG_ACL_FLD "signals to protected processes" +#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG +#define GR_SYSCTL_FLD "attempted sysctl changes" +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by " DEFAULTSECMSG +#define GR_SYSCTL_ACL_FLD "denied sysctl accesses" +#define GR_TIME_MSG "time set by " DEFAULTSECMSG +#define GR_TIME_FLD "time sets" +#define GR_DEFACL_MSG "Fatal: Unable to find ACL for (%.16s:%d)" +#define GR_DEFACL_FLD "default acl errors" +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " DEFAULTSECMSG +#define GR_MMAP_ACL_FLD "denied mmap execs" +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " DEFAULTSECMSG +#define GR_MPROTECT_ACL_FLD "denied mprotect execs" +#define GR_SOCK_MSG "attempted socket(%d,%d,%d) by " DEFAULTSECMSG +#define GR_SOCK_FLD "attempted sockets" +#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG +#define GR_BIND_FLD "attempted binds" +#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG +#define GR_CONNECT_FLD "attempted connects" +#define GR_BIND_ACL_MSG "attempted bind to %u.%u.%u.%u port %u sock type %u protocol %u by " DEFAULTSECMSG +#define GR_BIND_ACL_FLD "attempted binds" +#define GR_CONNECT_ACL_MSG "attempted connect to %u.%u.%u.%u port %u sock type %u protocol %u by " DEFAULTSECMSG +#define GR_CONNECT_ACL_FLD "attempted connects" +#define GR_IP_LEARN_MSG "LEARN:%d:%lu:%u.%u.%u.%u:%u:%u:%u:%u" +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG +#define GR_CAP_ACL_MSG "use of %s denied for " DEFAULTSECMSG +#define GR_CAP_ACL_FLD "denied capabilities" +#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by " DEFAULTSECMSG +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by " DEFAULTSECMSG +#define GR_MOUNT_AUDIT_MSG "mount %.30s to %.64s by " DEFAULTSECMSG +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by " DEFAULTSECMSG +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.63s) by " DEFAULTSECMSG +#define GR_MSGQ_AUDIT_MSG "message queue created by " DEFAULTSECMSG +#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_SEM_AUDIT_MSG "semaphore created by " DEFAULTSECMSG +#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_SHM_AUDIT_MSG "shared memory of size %d created by " DEFAULTSECMSG +#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG +#define GR_RESOURCE_MSG "attempted resource overstep by requesting %lu for %.16s against limit %lu by " DEFAULTSECMSG +#define GR_RESOURCE_FLD "attempted resource overstepping" diff -urN linux-2.4.20/include/linux/grsecurity.h linux-2.4.20/include/linux/grsecurity.h --- linux-2.4.20/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/include/linux/grsecurity.h 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,167 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H + +extern int gr_pid_is_chrooted(const struct task_struct *p); +extern int gr_handle_chroot_nice(void); +extern int gr_handle_chroot_sysctl(const int op); +extern int gr_handle_chroot_capset(const struct task_struct *target); +extern int gr_handle_chroot_setpriority(const struct task_struct *p, + const int niceval); +extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt); +extern int gr_handle_chroot_chroot(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_chroot_caps(void); +extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt); +extern int gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode); +extern int gr_handle_chroot_mknod(const struct dentry *dentry, + const struct vfsmount *mnt, + const int mode); +extern int gr_handle_chroot_mount(const struct dentry *dentry, + const struct vfsmount *mnt, + const char *dev_name); +extern int gr_handle_chroot_pivot(void); +extern int gr_handle_chroot_unix(const pid_t pid); + +extern int gr_handle_nproc(void); + +extern void gr_handle_ioperm(void); +extern void gr_handle_iopl(void); + +extern int gr_tpe_allow(const struct file *file); + +extern int gr_random_pid(spinlock_t *pid_lock); + +extern void gr_log_forkfail(const int retval); +extern void gr_log_timechange(void); +extern void gr_log_signal(const int sig, const struct task_struct *t); +extern void gr_log_chdir(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_log_chroot_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_exec_args(struct linux_binprm *bprm, char **argv); +extern void gr_log_remount(const char *devname, const int retval); +extern void gr_log_unmount(const char *devname, const int retval); +extern void gr_log_mount(const char *from, const char *to, const int retval); +extern void gr_log_msgget(const int ret, const int msgflg); +extern void gr_log_msgrm(const uid_t uid, const uid_t cuid); +extern void gr_log_semget(const int err, const int semflg); +extern void gr_log_semrm(const uid_t uid, const uid_t cuid); +extern void gr_log_shmget(const int err, const int shmflg, const size_t size); +extern void gr_log_shmrm(const uid_t uid, const uid_t cuid); + +extern int gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, + const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_fifo(const struct dentry *dentry, + const struct vfsmount *mnt, + const struct dentry *dir, const int flag, + const int acc_mode); +extern int gr_handle_hardlink(const struct dentry *dentry, + const struct vfsmount *mnt, + struct inode *inode, + const int mode, const char *to); + +extern int gr_is_capable(const int cap); +extern void gr_learn_resource(const struct task_struct * task, const int limit, + const unsigned long wanted); +extern void gr_copy_label(struct task_struct *tsk); +extern void gr_handle_crash(struct task_struct *task, const int sig); +extern int gr_handle_signal(const struct task_struct *p, const int sig); +extern int gr_check_crash_uid(const uid_t uid); +extern int gr_acl_handle_mmap(const struct file *file, const unsigned long prot); +extern int gr_acl_handle_mprotect(const struct file *file, const unsigned long prot); +extern int gr_check_hidden_task(const struct task_struct *tsk); +extern __u32 gr_acl_handle_truncate(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_utime(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_access(const struct dentry *dentry, + const struct vfsmount *mnt, + const int fmode); +extern __u32 gr_acl_handle_fchmod(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_chmod(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_chown(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_ptrace_exec(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_handle_ptrace(struct task_struct *task, const long request); +extern int gr_handle_mmap(const struct file *filp, const unsigned long prot); +extern __u32 gr_acl_handle_execve(const struct dentry *dentry, + const struct vfsmount *mnt); +extern int gr_check_crash_exec(const struct file *filp); +extern int gr_acl_is_enabled(void); +extern void gr_set_proc_label(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_hidden_file(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_open(const struct dentry *dentry, + const struct vfsmount *mnt, + const int fmode); +extern __u32 gr_acl_handle_creat(const struct dentry *dentry, + const struct dentry *p_dentry, + const struct vfsmount *p_mnt, + const int fmode); +extern void gr_handle_create(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_mknod(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt); +extern __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt); +extern __u32 gr_acl_handle_rmdir(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_handle_delete(const ino_t ino, const kdev_t dev); +extern __u32 gr_acl_handle_unlink(const struct dentry *dentry, + const struct vfsmount *mnt); +extern __u32 gr_acl_handle_symlink(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const char *from); +extern __u32 gr_acl_handle_link(const struct dentry *new_dentry, + const struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt, + const char *to); +extern int gr_acl_handle_rename(struct dentry *new_dentry, + struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, + struct dentry *old_dentry, + struct inode *old_parent_inode, + struct vfsmount *old_mnt, + const char *newname); +extern __u32 gr_acl_handle_filldir(const struct dentry *dentry, + const struct vfsmount *mnt, + const ino_t ino); +extern __u32 gr_acl_handle_unix(const struct dentry *dentry, + const struct vfsmount *mnt); +extern void gr_set_pax_flags(struct task_struct *task); +extern void gr_acl_handle_exit(void); +extern int gr_acl_handle_procpidmem(const struct task_struct *task); +extern __u32 gr_cap_rtnetlink(void); + +#ifdef CONFIG_GRKERNSEC +extern void gr_handle_mem_write(void); +extern void gr_handle_kmem_write(void); +extern void gr_handle_open_port(void); +extern int gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma); + +extern __u16 ip_randomid(void); +extern __u32 ip_randomisn(void); +extern __u32 arc4random(void); + +extern int grsec_enable_dmesg; +extern int grsec_enable_randid; +extern int grsec_enable_randisn; +extern int grsec_enable_randsrc; +extern int grsec_enable_randping; +extern int grsec_enable_randrpc; +#endif + +#endif + diff -urN linux-2.4.20/include/linux/kernel.h linux-2.4.20/include/linux/kernel.h --- linux-2.4.20/include/linux/kernel.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/linux/kernel.h 2003-02-12 23:36:37.000000000 -0500 @@ -71,14 +71,17 @@ extern long long simple_strtoll(const char *,char **,unsigned int); extern int sprintf(char * buf, const char * fmt, ...) __attribute__ ((format (printf, 2, 3))); -extern int vsprintf(char *buf, const char *, va_list); +extern int vsprintf(char *buf, const char *, va_list) + __attribute__ ((format (printf, 2, 0))); extern int snprintf(char * buf, size_t size, const char * fmt, ...) __attribute__ ((format (printf, 3, 4))); -extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args); +extern int vsnprintf(char *buf, size_t size, const char *fmt, va_list args) + __attribute__ ((format (printf, 3, 0))); extern int sscanf(const char *, const char *, ...) __attribute__ ((format (scanf,2,3))); -extern int vsscanf(const char *, const char *, va_list); +extern int vsscanf(const char *, const char *, va_list) + __attribute__ ((format (scanf, 2, 0))); extern int get_option(char **str, int *pint); extern char *get_options(char *str, int nints, int *ints); diff -urN linux-2.4.20/include/linux/mm.h linux-2.4.20/include/linux/mm.h --- linux-2.4.20/include/linux/mm.h 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/include/linux/mm.h 2003-02-12 23:36:37.000000000 -0500 @@ -22,9 +22,13 @@ extern struct list_head active_list; extern struct list_head inactive_list; +extern void gr_learn_resource(const struct task_struct * task, const int limit, + const unsigned long wanted); + #include #include #include +#include /* * Linux kernel virtual memory manager primitives. @@ -104,7 +108,19 @@ #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */ #define VM_RESERVED 0x00080000 /* Don't unmap it from swap_out */ -#define VM_STACK_FLAGS 0x00000177 +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +#define VM_MIRROR 0x00100000 /* vma is mirroring another */ +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT +#define VM_MAYNOTWRITE 0x00200000 /* vma cannot be granted VM_WRITE any more */ +#endif + +#if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) +#define VM_STACK_FLAGS (0x00000133 | ((current->flags & (PF_PAX_PAGEEXEC|PF_PAX_SEGMEXEC))?0:VM_EXEC|VM_MAYEXEC)) +#else +#define VM_STACK_FLAGS 0x00000177 +#endif #define VM_READHINTMASK (VM_SEQ_READ | VM_RAND_READ) #define VM_ClearReadHint(v) (v)->vm_flags &= ~VM_READHINTMASK @@ -543,21 +559,50 @@ unsigned long len, unsigned long prot, unsigned long flag, unsigned long pgoff); +extern int do_munmap(struct mm_struct *, unsigned long, size_t); + static inline unsigned long do_mmap(struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long offset) { unsigned long ret = -EINVAL; + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && + (len > SEGMEXEC_TASK_SIZE || (addr && addr > SEGMEXEC_TASK_SIZE-len))) + goto out; +#endif + if ((offset + PAGE_ALIGN(len)) < offset) goto out; if (!(offset & ~PAGE_MASK)) ret = do_mmap_pgoff(file, addr, len, prot, flag, offset >> PAGE_SHIFT); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC +#define BAD_ADDR(x) ((unsigned long)(x) > TASK_SIZE) + if ((current->flags & PF_PAX_SEGMEXEC) && !BAD_ADDR(ret) && + (prot & PROT_EXEC) && ((flag & MAP_TYPE) == MAP_PRIVATE) + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + && (!(current->flags & PF_PAX_MPROTECT) || (file && !(prot & PROT_WRITE))) +#endif + ) + { + unsigned long ret_m; + ret_m = do_mmap_pgoff(NULL, ret + SEGMEXEC_TASK_SIZE, +0UL, prot, flag | MAP_MIRROR | MAP_FIXED, ret); + if (BAD_ADDR(ret_m)) { + do_munmap(current->mm, ret, len); + ret = ret_m; + } + } +#undef BAD_ADDR +#endif + out: return ret; } -extern int do_munmap(struct mm_struct *, unsigned long, size_t); - extern unsigned long do_brk(unsigned long, unsigned long); static inline void __vma_unlink(struct mm_struct * mm, struct vm_area_struct * vma, struct vm_area_struct * prev) @@ -570,6 +615,13 @@ static inline int can_vma_merge(struct vm_area_struct * vma, unsigned long vm_flags) { + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((vma->vm_flags | vm_flags) & VM_MIRROR) + return 0; + else +#endif + if (!vma->vm_file && vma->vm_flags == vm_flags) return 1; else @@ -638,6 +690,8 @@ address &= PAGE_MASK; spin_lock(&vma->vm_mm->page_table_lock); grow = (vma->vm_start - address) >> PAGE_SHIFT; + gr_learn_resource(current, RLIMIT_STACK, vma->vm_end - address); + gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT); if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur || ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_AS].rlim_cur) { spin_unlock(&vma->vm_mm->page_table_lock); diff -urN linux-2.4.20/include/linux/proc_fs.h linux-2.4.20/include/linux/proc_fs.h --- linux-2.4.20/include/linux/proc_fs.h 2002-08-02 20:39:45.000000000 -0400 +++ linux-2.4.20/include/linux/proc_fs.h 2003-02-12 23:36:37.000000000 -0500 @@ -143,6 +143,9 @@ extern struct proc_dir_entry *proc_mknod(const char *,mode_t, struct proc_dir_entry *,kdev_t); extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *); +#ifdef CONFIG_GRKERNSEC_PROC +extern struct proc_dir_entry *proc_priv_mkdir(const char *, struct proc_dir_entry *); +#endif static inline struct proc_dir_entry *create_proc_read_entry(const char *name, mode_t mode, struct proc_dir_entry *base, diff -urN linux-2.4.20/include/linux/sched.h linux-2.4.20/include/linux/sched.h --- linux-2.4.20/include/linux/sched.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/linux/sched.h 2003-02-12 23:36:37.000000000 -0500 @@ -27,6 +27,9 @@ #include #include +extern int gr_is_capable(const int cap); +extern int gr_pid_is_chrooted(const struct task_struct *p); + struct exec_domain; /* @@ -231,6 +234,12 @@ unsigned long cpu_vm_mask; unsigned long swap_address; +#ifdef CONFIG_GRKERNSEC_PAX_ASLR + unsigned long delta_mmap; /* PaX: randomized offset */ + unsigned long delta_exec; /* PaX: randomized offset */ + unsigned long delta_stack; /* PaX: randomized offset */ +#endif + unsigned dumpable:1; /* Architecture-specific MM context */ @@ -409,7 +418,7 @@ int (*notifier)(void *priv); void *notifier_data; sigset_t *notifier_mask; - + /* Thread group tracking */ u32 parent_exec_id; u32 self_exec_id; @@ -418,6 +427,15 @@ /* journalling filesystem info */ void *journal_info; + +#ifdef CONFIG_GRKERNSEC +/* added by grsecurity's ACL system */ + struct acl_subject_label * acl; + u32 curr_ip; + u8 acl_admin:1; + u8 used_accept:1; + u8 used_connect:1; +#endif }; /* @@ -438,6 +456,13 @@ #define PF_USEDFPU 0x00100000 /* task used FPU this quantum (SMP) */ +#define PF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */ +#define PF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */ +#define PF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */ +#define PF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */ +#define PF_PAX_RANDEXEC 0x10000000 /* Randomize ET_EXEC base */ +#define PF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */ + /* * Ptrace flags */ @@ -512,7 +537,6 @@ journal_info: NULL, \ } - #ifndef INIT_TASK_SIZE # define INIT_TASK_SIZE 2048*sizeof(long) #endif @@ -550,6 +574,8 @@ *p->pidhash_pprev = p->pidhash_next; } +#include + static inline struct task_struct *find_task_by_pid(int pid) { struct task_struct *p, **htable = &pidhash[pid_hashfn(pid)]; @@ -557,6 +583,8 @@ for(p = *htable; p && p->pid != pid; p = p->pidhash_next) ; + if(gr_pid_is_chrooted(p)) p = NULL; + return p; } @@ -577,8 +605,6 @@ extern struct user_struct * alloc_uid(uid_t); extern void free_uid(struct user_struct *); -#include - extern unsigned long volatile jiffies; extern unsigned long itimer_ticks; extern unsigned long itimer_next; @@ -742,7 +768,7 @@ static inline int capable(int cap) { #if 1 /* ok now */ - if (cap_raised(current->cap_effective, cap)) + if (cap_raised(current->cap_effective, cap) && gr_is_capable(cap)) #else if (cap_is_fs_cap(cap) ? current->fsuid == 0 : current->euid == 0) #endif diff -urN linux-2.4.20/include/linux/sysctl.h linux-2.4.20/include/linux/sysctl.h --- linux-2.4.20/include/linux/sysctl.h 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/include/linux/sysctl.h 2003-02-12 23:36:37.000000000 -0500 @@ -124,6 +124,7 @@ KERN_CORE_USES_PID=52, /* int: use core or core.%pid */ KERN_TAINTED=53, /* int: various kernel tainted flags */ KERN_CADPID=54, /* int: PID of the process to notify on CAD */ + KERN_GRSECURITY=68, /* grsecurity */ }; diff -urN linux-2.4.20/include/net/inetpeer.h linux-2.4.20/include/net/inetpeer.h --- linux-2.4.20/include/net/inetpeer.h 2002-02-25 14:38:13.000000000 -0500 +++ linux-2.4.20/include/net/inetpeer.h 2003-02-12 23:36:37.000000000 -0500 @@ -13,6 +13,7 @@ #include #include #include + #include struct inet_peer @@ -34,6 +35,11 @@ /* can be called with or without local BH being disabled */ struct inet_peer *inet_getpeer(__u32 daddr, int create); +#ifdef CONFIG_GRKERNSEC_RANDID +extern int grsec_enable_randid; +extern __u16 ip_randomid(void); +#endif + extern spinlock_t inet_peer_unused_lock; extern struct inet_peer *inet_peer_unused_head; extern struct inet_peer **inet_peer_unused_tailp; @@ -58,7 +64,14 @@ __u16 id; spin_lock_bh(&inet_peer_idlock); - id = p->ip_id_count++; + +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + id = htons(ip_randomid()); + else +#endif + id = p->ip_id_count++; + spin_unlock_bh(&inet_peer_idlock); return id; } diff -urN linux-2.4.20/include/net/ip.h linux-2.4.20/include/net/ip.h --- linux-2.4.20/include/net/ip.h 2001-11-22 14:47:15.000000000 -0500 +++ linux-2.4.20/include/net/ip.h 2003-02-12 23:36:37.000000000 -0500 @@ -64,6 +64,11 @@ void (*destructor)(struct sock *); }; +#ifdef CONFIG_GRKERNSEC_RANDID +extern int grsec_enable_randid; +extern __u16 ip_randomid(void); +#endif + extern struct ip_ra_chain *ip_ra_chain; extern rwlock_t ip_ra_lock; @@ -196,7 +201,13 @@ * does not change, they drop every other packet in * a TCP stream using header compression. */ - iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0); + +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + iph->id = htons(ip_randomid()); + else +#endif + iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0); } else __ip_select_ident(iph, dst); } diff -urN linux-2.4.20/init/main.c linux-2.4.20/init/main.c --- linux-2.4.20/init/main.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/init/main.c 2003-02-12 23:36:37.000000000 -0500 @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -107,6 +108,8 @@ extern void ipc_init(void); #endif +extern void grsecurity_init(void); + /* * Boot command-line arguments */ @@ -546,6 +549,7 @@ do_basic_setup(); prepare_namespace(); + grsecurity_init(); /* * Ok, we have completed the initial bootup, and diff -urN linux-2.4.20/ipc/msg.c linux-2.4.20/ipc/msg.c --- linux-2.4.20/ipc/msg.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/ipc/msg.c 2003-02-12 23:36:37.000000000 -0500 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "util.h" @@ -326,6 +327,9 @@ msg_unlock(id); } up(&msg_ids.sem); + + gr_log_msgget(ret, msgflg); + return ret; } @@ -560,6 +564,8 @@ break; } case IPC_RMID: + gr_log_msgrm(ipcp->uid, ipcp->cuid); + freeque (msqid); break; } diff -urN linux-2.4.20/ipc/sem.c linux-2.4.20/ipc/sem.c --- linux-2.4.20/ipc/sem.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/ipc/sem.c 2003-02-12 23:36:37.000000000 -0500 @@ -62,6 +62,7 @@ #include #include #include +#include #include #include "util.h" @@ -181,6 +182,9 @@ } up(&sem_ids.sem); + + gr_log_semget(err, semflg); + return err; } @@ -728,6 +732,8 @@ switch(cmd){ case IPC_RMID: + gr_log_semrm(ipcp->uid, ipcp->cuid); + freeary(semid); err = 0; break; diff -urN linux-2.4.20/ipc/shm.c linux-2.4.20/ipc/shm.c --- linux-2.4.20/ipc/shm.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/ipc/shm.c 2003-02-12 23:36:37.000000000 -0500 @@ -23,6 +23,7 @@ #include #include #include +#include #include "util.h" @@ -38,8 +39,21 @@ time_t shm_ctim; pid_t shm_cprid; pid_t shm_lprid; + +#ifdef CONFIG_GRKERNSEC + time_t shm_createtime; + pid_t shm_lapid; +#endif }; +#ifdef CONFIG_GRKERNSEC +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime, const uid_t cuid, + const int shmid); +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, + const time_t shm_createtime); +#endif + #define shm_flags shm_perm.mode static struct file_operations shm_file_operations; @@ -209,6 +223,9 @@ shp->shm_lprid = 0; shp->shm_atim = shp->shm_dtim = 0; shp->shm_ctim = CURRENT_TIME; +#ifdef CONFIG_GRKERNSEC + shp->shm_createtime = CURRENT_TIME; +#endif shp->shm_segsz = size; shp->shm_nattch = 0; shp->id = shm_buildid(id,shp->shm_perm.seq); @@ -254,6 +271,9 @@ shm_unlock(id); } up(&shm_ids.sem); + + gr_log_shmget(err, shmflg, size); + return err; } @@ -509,6 +529,9 @@ err=-EPERM; goto out_unlock_up; } + + gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid); + if (shp->shm_nattch){ shp->shm_flags |= SHM_DEST; /* Do not find it any more */ @@ -622,9 +645,28 @@ shm_unlock(shmid); return -EACCES; } + +#ifdef CONFIG_GRKERNSEC + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime, + shp->shm_perm.cuid, shmid)) { + shm_unlock(shmid); + return -EACCES; + } + + if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) { + shm_unlock(shmid); + return -EACCES; + } +#endif + file = shp->shm_file; size = file->f_dentry->d_inode->i_size; shp->shm_nattch++; + +#ifdef CONFIG_GRKERNSEC + shp->shm_lapid = current->pid; +#endif + shm_unlock(shmid); down_write(¤t->mm->mmap_sem); diff -urN linux-2.4.20/kernel/capability.c linux-2.4.20/kernel/capability.c --- linux-2.4.20/kernel/capability.c 2000-06-24 00:06:37.000000000 -0400 +++ linux-2.4.20/kernel/capability.c 2003-02-12 23:36:37.000000000 -0500 @@ -7,6 +7,7 @@ #include #include +#include kernel_cap_t cap_bset = CAP_INIT_EFF_SET; @@ -188,6 +189,9 @@ goto out; } + if (gr_handle_chroot_capset(target)) + goto out; + /* having verified that the proposed changes are legal, we now put them into effect. */ error = 0; diff -urN linux-2.4.20/kernel/exit.c linux-2.4.20/kernel/exit.c --- linux-2.4.20/kernel/exit.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/exit.c 2003-02-12 23:36:37.000000000 -0500 @@ -16,6 +16,7 @@ #ifdef CONFIG_BSD_PROCESS_ACCT #include #endif +#include #include #include @@ -439,6 +440,9 @@ #ifdef CONFIG_BSD_PROCESS_ACCT acct_process(code); #endif + + gr_acl_handle_exit(); + __exit_mm(tsk); lock_kernel(); diff -urN linux-2.4.20/kernel/fork.c linux-2.4.20/kernel/fork.c --- linux-2.4.20/kernel/fork.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/fork.c 2003-02-12 23:36:37.000000000 -0500 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -92,6 +93,10 @@ if (flags & CLONE_PID) return current->pid; + pid = gr_random_pid(&lastpid_lock); + if (pid) + return pid; + spin_lock(&lastpid_lock); beginpid = last_pid; if((++last_pid) & 0xffff8000) { @@ -609,6 +614,9 @@ * friends to set the per-user process limit to something lower * than the amount of processes root is running. -- Rik */ + + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes)); + if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) goto bad_fork_free; @@ -693,6 +701,7 @@ retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs); if (retval) goto bad_fork_cleanup_namespace; + gr_copy_label(p); p->semundo = NULL; /* Our parent execution domain becomes current domain @@ -778,6 +787,9 @@ free_uid(p->user); bad_fork_free: free_task_struct(p); + + gr_log_forkfail(retval); + goto fork_out; } diff -urN linux-2.4.20/kernel/ksyms.c linux-2.4.20/kernel/ksyms.c --- linux-2.4.20/kernel/ksyms.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/ksyms.c 2003-02-12 23:36:37.000000000 -0500 @@ -48,6 +48,7 @@ #include #include #include +#include #include #if defined(CONFIG_PROC_FS) @@ -579,3 +580,8 @@ /* debug */ EXPORT_SYMBOL(dump_stack); + +/* grsecurity */ +EXPORT_SYMBOL(gr_is_capable); +EXPORT_SYMBOL(gr_pid_is_chrooted); +EXPORT_SYMBOL(gr_learn_resource); diff -urN linux-2.4.20/kernel/printk.c linux-2.4.20/kernel/printk.c --- linux-2.4.20/kernel/printk.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/kernel/printk.c 2003-02-12 23:36:37.000000000 -0500 @@ -26,6 +26,7 @@ #include #include /* For in_interrupt() */ #include +#include #include @@ -294,6 +295,11 @@ asmlinkage long sys_syslog(int type, char * buf, int len) { +#ifdef CONFIG_GRKERNSEC_DMESG + if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg) + return -EPERM; + else +#endif if ((type != 3) && !capable(CAP_SYS_ADMIN)) return -EPERM; return do_syslog(type, buf, len); diff -urN linux-2.4.20/kernel/sched.c linux-2.4.20/kernel/sched.c --- linux-2.4.20/kernel/sched.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/sched.c 2003-02-12 23:36:37.000000000 -0500 @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -872,6 +873,9 @@ return -EPERM; if (increment < -40) increment = -40; + + if (gr_handle_chroot_nice()) + return -EPERM; } if (increment > 40) increment = 40; diff -urN linux-2.4.20/kernel/signal.c linux-2.4.20/kernel/signal.c --- linux-2.4.20/kernel/signal.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/signal.c 2003-02-12 23:36:37.000000000 -0500 @@ -13,6 +13,8 @@ #include #include #include +#include +#include #include @@ -532,6 +534,8 @@ if (!sig || !t->sig) goto out_nolock; + gr_log_signal(sig, t); + spin_lock_irqsave(&t->sigmask_lock, flags); handle_stop_signal(sig, t); @@ -578,6 +582,8 @@ recalc_sigpending(t); spin_unlock_irqrestore(&t->sigmask_lock, flags); + gr_handle_crash(t, sig); + return send_sig_info(sig, info, t); } @@ -597,9 +603,13 @@ read_lock(&tasklist_lock); for_each_task(p) { if (p->pgrp == pgrp && thread_group_leader(p)) { - int err = send_sig_info(sig, info, p); - if (retval) - retval = err; + if (gr_handle_signal(p, sig)) + retval = -EPERM; + else { + int err = send_sig_info(sig, info, p); + if (retval) + retval = err; + } } } read_unlock(&tasklist_lock); @@ -650,7 +660,10 @@ if (tg) p = tg; } - error = send_sig_info(sig, info, p); + if (gr_handle_signal(p, sig)) + error = -EPERM; + else + error = send_sig_info(sig, info, p); } read_unlock(&tasklist_lock); return error; @@ -675,10 +688,14 @@ read_lock(&tasklist_lock); for_each_task(p) { if (p->pid > 1 && p != current && thread_group_leader(p)) { - int err = send_sig_info(sig, info, p); - ++count; - if (err != -EPERM) - retval = err; + if (gr_handle_signal(p, sig)) + retval = -EPERM; + else { + int err = send_sig_info(sig, info, p); + ++count; + if (err != -EPERM) + retval = err; + } } } read_unlock(&tasklist_lock); diff -urN linux-2.4.20/kernel/sys.c linux-2.4.20/kernel/sys.c --- linux-2.4.20/kernel/sys.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/kernel/sys.c 2003-02-12 23:36:37.000000000 -0500 @@ -4,6 +4,7 @@ * Copyright (C) 1991, 1992 Linus Torvalds */ +#include #include #include #include @@ -14,6 +15,7 @@ #include #include #include +#include #include #include @@ -220,6 +222,12 @@ } if (error == -ESRCH) error = 0; + + if (gr_handle_chroot_setpriority(p, niceval)) { + read_unlock(&tasklist_lock); + return -ESRCH; + } + if (niceval < p->nice && !capable(CAP_SYS_NICE)) error = -EACCES; else @@ -607,6 +615,9 @@ } else if ((uid != current->uid) && (uid != new_suid)) return -EPERM; + if (gr_check_crash_uid(uid)) + return -EPERM; + if (old_euid != uid) { current->mm->dumpable = 0; @@ -1121,6 +1132,10 @@ if(copy_from_user(&new_rlim, rlim, sizeof(*rlim))) return -EFAULT; old_rlim = current->rlim + resource; + + if (old_rlim->rlim_max < old_rlim->rlim_cur) + return -EINVAL; + if (((new_rlim.rlim_cur > old_rlim->rlim_max) || (new_rlim.rlim_max > old_rlim->rlim_max)) && !capable(CAP_SYS_RESOURCE)) diff -urN linux-2.4.20/kernel/sysctl.c linux-2.4.20/kernel/sysctl.c --- linux-2.4.20/kernel/sysctl.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/kernel/sysctl.c 2003-02-12 23:36:37.000000000 -0500 @@ -38,6 +38,15 @@ #endif #if defined(CONFIG_SYSCTL) +#include +#include + +extern int gr_proc_handler(ctl_table * table, int write, struct file * filp, + void * buffer, size_t * lenp); +extern __u32 gr_handle_sysctl(const ctl_table * table, const void *oldval, + const void *newval); +extern int gr_handle_sysctl_mod(const char *name, ctl_table *table, const int op); +extern int gr_handle_chroot_sysctl(const int op); /* External variables not in a header file. */ extern int panic_timeout; @@ -118,6 +127,8 @@ static ctl_table dev_table[]; extern ctl_table random_table[]; +static ctl_table grsecurity_table[]; + /* /proc declarations: */ #ifdef CONFIG_PROC_FS @@ -256,9 +267,199 @@ {KERN_S390_USER_DEBUG_LOGGING,"userprocess_debug", &sysctl_userprocess_debug,sizeof(int),0644,NULL,&proc_dointvec}, #endif +#ifdef CONFIG_GRKERNSEC + {KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table}, +#endif {0} }; +#ifdef CONFIG_GRKERNSEC +enum {GS_ACL=1, GS_LINK, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, +GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT, +GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM, +GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, +GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS, +GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDISN, +GS_RANDPING, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_TTY, GS_TTYS, +GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC, +GS_FINDTASK, GS_LOCK}; + +static ctl_table grsecurity_table[] = { + {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler}, +#ifdef CONFIG_GRKERNSEC_SYSCTL +#ifdef CONFIG_GRKERNSEC_LINK + {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + {GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + {GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG + {GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL + {GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL + {GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TIME + {GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT + {GS_CHROOT_SHMAT, "chroot_deny_shmat", &grsec_enable_chroot_shmat, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + {GS_CHROOT_UNIX, "chroot_deny_unix", &grsec_enable_chroot_unix, sizeof(int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR + {GS_CHROOT_FCHDIR, "chroot_deny_fchdir", &grsec_enable_chroot_fchdir, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT + {GS_CHROOT_PVT, "chroot_deny_pivot", &grsec_enable_chroot_pivot, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + {GS_CHROOT_CD, "chroot_enforce_chdir", &grsec_enable_chroot_chdir, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + {GS_CHROOT_EXECLOG, "chroot_execlog", + &grsec_enable_chroot_execlog, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + {GS_CHROOT_SYSCTL, "chroot_deny_sysctl", &grsec_enable_chroot_sysctl, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE + {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL + {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID + {GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDID + {GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC + {GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN + {GS_RANDSRC, "rand_isns", &grsec_enable_randisn, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING + {GS_RANDPING, "altered_pings", &grsec_enable_randping, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_ALL_GID, "socket_all_gid", + &grsec_socket_all_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + {GS_SOCKET_CLIENT, "socket_client", + &grsec_enable_socket_client, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_CLIENT_GID, "socket_client_gid", + &grsec_socket_client_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + {GS_SOCKET_SERVER, "socket_server", + &grsec_enable_socket_server, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_SERVER_GID, "socket_server_gid", + &grsec_socket_server_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + {GS_GROUP, "audit_group", &grsec_enable_group, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_GID, "audit_gid", + &grsec_audit_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + {GS_ACHDIR, "audit_chdir", &grsec_enable_chdir, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + {GS_AMOUNT, "audit_mount", &grsec_enable_mount, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + {GS_AIPC, "audit_ipc", &grsec_enable_audit_ipc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_DMESG + {GS_AIPC, "dmesg", &grsec_enable_dmesg, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC + {GS_RANDRPC, "rand_rpc", &grsec_enable_randrpc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK + {GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask, + sizeof (int), 0600, NULL, &proc_dointvec}, +#endif + {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL, + &proc_dointvec}, +#endif + {0} +}; +#endif + static ctl_table vm_table[] = { {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL, &proc_dointvec_minmax, &sysctl_intvec, NULL, @@ -392,6 +593,11 @@ static inline int ctl_perm(ctl_table *table, int op) { + if (gr_handle_sysctl_mod(table->de->parent->name, table, op)) + return -EACCES; + if (gr_handle_chroot_sysctl(op)) + return -EACCES; + return test_perm(table->mode, op); } @@ -425,6 +631,10 @@ table = table->child; goto repeat; } + + if (!gr_handle_sysctl(table, oldval, newval)) + return -EACCES; + error = do_sysctl_strategy(table, name, nlen, oldval, oldlenp, newval, newlen, context); diff -urN linux-2.4.20/kernel/time.c linux-2.4.20/kernel/time.c --- linux-2.4.20/kernel/time.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/time.c 2003-02-12 23:36:37.000000000 -0500 @@ -27,6 +27,7 @@ #include #include #include +#include #include @@ -89,6 +90,9 @@ time_maxerror = NTP_PHASE_LIMIT; time_esterror = NTP_PHASE_LIMIT; write_unlock_irq(&xtime_lock); + + gr_log_timechange(); + return 0; } @@ -167,6 +171,8 @@ * globally block out interrupts when it runs. */ do_settimeofday(tv); + + gr_log_timechange(); } return 0; } diff -urN linux-2.4.20/kernel/timer.c linux-2.4.20/kernel/timer.c --- linux-2.4.20/kernel/timer.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/kernel/timer.c 2003-02-12 23:36:37.000000000 -0500 @@ -541,6 +541,9 @@ psecs = (p->times.tms_utime += user); psecs += (p->times.tms_stime += system); + + gr_learn_resource(p, RLIMIT_CPU, psecs / HZ); + if (psecs / HZ > p->rlim[RLIMIT_CPU].rlim_cur) { /* Send SIGXCPU every second.. */ if (!(psecs % HZ)) diff -urN linux-2.4.20/mm/filemap.c linux-2.4.20/mm/filemap.c --- linux-2.4.20/mm/filemap.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/mm/filemap.c 2003-02-12 23:36:37.000000000 -0500 @@ -2192,6 +2192,12 @@ } if (!mapping->a_ops->readpage) return -ENOEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (current->flags & PF_PAX_PAGEEXEC) + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f]; +#endif + UPDATE_ATIME(inode); vma->vm_ops = &generic_file_vm_ops; return 0; @@ -2473,6 +2479,7 @@ error = -EIO; rlim_rss = current->rlim ? current->rlim[RLIMIT_RSS].rlim_cur : LONG_MAX; /* default: see resource.h */ + gr_learn_resource(current, RLIMIT_RSS, vma->vm_mm->rss + (end - start)); if ((vma->vm_mm->rss + (end - start)) > rlim_rss) return error; @@ -2976,6 +2983,7 @@ err = -EFBIG; if (!S_ISBLK(inode->i_mode) && limit != RLIM_INFINITY) { + gr_learn_resource(current, RLIMIT_FSIZE, pos); if (pos >= limit) { send_sig(SIGXFSZ, current, 0); goto out; @@ -3011,6 +3019,7 @@ */ if (!S_ISBLK(inode->i_mode)) { + gr_learn_resource(current, RLIMIT_FSIZE, count + (u32)pos); if (pos >= inode->i_sb->s_maxbytes) { if (count || pos > inode->i_sb->s_maxbytes) { diff -urN linux-2.4.20/mm/memory.c linux-2.4.20/mm/memory.c --- linux-2.4.20/mm/memory.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/mm/memory.c 2003-02-12 23:36:37.000000000 -0500 @@ -925,6 +925,65 @@ establish_pte(vma, address, page_table, pte_mkwrite(pte_mkdirty(mk_pte(new_page, vma->vm_page_prot)))); } +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +/* PaX: if vma is mirrored, synchronize the mirror's PTE + * + * mm->page_table_lock is held on entry and is not released on exit or inside + * to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc) + */ +static void pax_mirror_fault(struct mm_struct *mm, struct vm_area_struct * vma, + unsigned long address, pte_t *pte) +{ + unsigned long address_m; + struct vm_area_struct * vma_m = NULL; + pte_t * pte_m, entry_m; + struct page * page_m; + + if (!(vma->vm_flags & VM_MIRROR)) + return; + + address_m = vma->vm_start + (unsigned long)vma->vm_private_data; + vma_m = find_vma(mm, address_m); + if (!vma_m || vma_m->vm_start != address_m) + return; + + address_m = address + (unsigned long)vma->vm_private_data; + + { + pgd_t *pgd_m; + pmd_t *pmd_m; + + pgd_m = pgd_offset(mm, address_m); + pmd_m = pmd_offset(pgd_m, address_m); + pte_m = pte_offset(pmd_m, address_m); + } + + if (pte_present(*pte_m)) + flush_cache_page(vma_m, address_m); + entry_m = ptep_get_and_clear(pte_m); + if (pte_present(entry_m)) + flush_tlb_page(vma_m, address_m); + + if (pte_none(entry_m)) { + ++mm->rss; + } else if (pte_present(entry_m)) { + page_cache_release(pte_page(entry_m)); + } else { + free_swap_and_cache(pte_to_swp_entry(entry_m)); + ++mm->rss; + } + + page_m = pte_page(*pte); + page_cache_get(page_m); + entry_m = mk_pte(page_m, vma_m->vm_page_prot); + if (pte_write(*pte)) + entry_m = pte_mkdirty(pte_mkwrite(entry_m)); + else + entry_m = pte_wrprotect(entry_m); + establish_pte(vma_m, address_m, pte_m, entry_m); +} +#endif + /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address @@ -988,6 +1047,11 @@ /* Free the old page.. */ new_page = old_page; + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + pax_mirror_fault(mm, vma, address, page_table); +#endif + } spin_unlock(&mm->page_table_lock); page_cache_release(new_page); @@ -1065,6 +1129,7 @@ do_expand: limit = current->rlim[RLIMIT_FSIZE].rlim_cur; + gr_learn_resource(current, RLIMIT_FSIZE, offset); if (limit != RLIM_INFINITY && offset > limit) goto out_sig; if (offset > inode->i_sb->s_maxbytes) @@ -1178,6 +1243,11 @@ /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, pte); + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + pax_mirror_fault(mm, vma, address, page_table); +#endif + spin_unlock(&mm->page_table_lock); return ret; } @@ -1303,6 +1373,11 @@ /* no need to invalidate: a not-present page shouldn't be cached */ update_mmu_cache(vma, address, entry); + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + pax_mirror_fault(mm, vma, address, page_table); +#endif + spin_unlock(&mm->page_table_lock); return 2; /* Major fault */ } @@ -1367,6 +1442,11 @@ pgd_t *pgd; pmd_t *pmd; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + unsigned long address_m = 0UL; + struct vm_area_struct * vma_m = NULL; +#endif + current->state = TASK_RUNNING; pgd = pgd_offset(mm, address); @@ -1375,6 +1455,47 @@ * and the SMP-safe atomic PTE updates. */ spin_lock(&mm->page_table_lock); + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (vma->vm_flags & VM_MIRROR) { + pgd_t *pgd_m; + pmd_t *pmd_m; + pte_t *pte_m; + + address_m = vma->vm_start + (unsigned long)vma->vm_private_data; + vma_m = find_vma(mm, address_m); + + /* PaX: sanity checks */ + if (!vma_m) { + spin_unlock(&mm->page_table_lock); + printk(KERN_ERR "PAX: VMMIRROR: fault bug, %08lx, %p, %08lx, %p\n", + address, vma, address_m, vma_m); + return 0; + } else if (!(vma_m->vm_flags & VM_MIRROR) || + vma_m->vm_start != address_m || + vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start) + { + spin_unlock(&mm->page_table_lock); + printk(KERN_ERR "PAX: VMMIRROR: fault bug2, %08lx, %08lx, %08lx, %08lx, %08lx\n", + address, vma->vm_start, vma_m->vm_start, vma->vm_end, vma_m->vm_end); + return 0; + } + + address_m = address + (unsigned long)vma->vm_private_data; + pgd_m = pgd_offset(mm, address_m); + pmd_m = pmd_alloc(mm, pgd_m, address_m); + if (!pmd_m) { + spin_unlock(&mm->page_table_lock); + return -1; + } + pte_m = pte_alloc(mm, pmd_m, address_m); + if (!pte_m) { + spin_unlock(&mm->page_table_lock); + return -1; + } + } +#endif + pmd = pmd_alloc(mm, pgd, address); if (pmd) { diff -urN linux-2.4.20/mm/mlock.c linux-2.4.20/mm/mlock.c --- linux-2.4.20/mm/mlock.c 2001-09-17 18:30:23.000000000 -0400 +++ linux-2.4.20/mm/mlock.c 2003-02-12 23:36:37.000000000 -0500 @@ -114,9 +114,35 @@ return 0; } +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +static int __mlock_fixup(struct vm_area_struct * vma, + unsigned long start, unsigned long end, unsigned int newflags); static int mlock_fixup(struct vm_area_struct * vma, unsigned long start, unsigned long end, unsigned int newflags) { + if (vma->vm_flags & VM_MIRROR) { + struct vm_area_struct * vma_m; + unsigned long start_m, end_m; + + start_m = vma->vm_start + (unsigned long)vma->vm_private_data; + vma_m = find_vma(vma->vm_mm, start_m); + if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) { + start_m = start + (unsigned long)vma->vm_private_data; + end_m = end + (unsigned long)vma->vm_private_data; + __mlock_fixup(vma_m, start_m, end_m, newflags); + } else + printk("PAX: VMMIRROR: mlock bug in %s, %08lx\n", current->comm, vma->vm_start); + } + return __mlock_fixup(vma, start, end, newflags); +} + +static int __mlock_fixup(struct vm_area_struct * vma, + unsigned long start, unsigned long end, unsigned int newflags) +#else +static int mlock_fixup(struct vm_area_struct * vma, + unsigned long start, unsigned long end, unsigned int newflags) +#endif +{ int pages, retval; if (newflags == vma->vm_flags) @@ -209,6 +235,7 @@ lock_limit >>= PAGE_SHIFT; /* check against resource limits */ + gr_learn_resource(current, RLIMIT_MEMLOCK, locked); if (locked > lock_limit) goto out; @@ -276,6 +303,7 @@ lock_limit >>= PAGE_SHIFT; ret = -ENOMEM; + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm); if (current->mm->total_vm > lock_limit) goto out; diff -urN linux-2.4.20/mm/mmap.c linux-2.4.20/mm/mmap.c --- linux-2.4.20/mm/mmap.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/mm/mmap.c 2003-02-12 23:36:37.000000000 -0500 @@ -14,6 +14,8 @@ #include #include #include +#include +#include #include #include @@ -168,6 +170,7 @@ /* Check against rlimit.. */ rlim = current->rlim[RLIMIT_DATA].rlim_cur; + gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data); if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim) goto out; @@ -205,6 +208,11 @@ _trans(prot, PROT_WRITE, VM_WRITE) | _trans(prot, PROT_EXEC, VM_EXEC); flag_bits = + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + _trans(flags, MAP_MIRROR, VM_MIRROR) | +#endif + _trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN) | _trans(flags, MAP_DENYWRITE, VM_DENYWRITE) | _trans(flags, MAP_EXECUTABLE, VM_EXECUTABLE); @@ -400,6 +408,28 @@ int error; rb_node_t ** rb_link, * rb_parent; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + struct vm_area_struct * vma_m = NULL; + + if (flags & MAP_MIRROR) { + /* PaX: sanity checks, to be removed when proved to be stable */ + if (file || len || ((flags & MAP_TYPE) != MAP_PRIVATE)) + return -EINVAL; + + vma_m = find_vma(mm, pgoff); + + if (!vma_m || + vma_m->vm_start != pgoff || + (vma_m->vm_flags & VM_MIRROR) || + (!(vma_m->vm_flags & VM_WRITE) && (prot & PROT_WRITE))) + return -EINVAL; + + file = vma_m->vm_file; + pgoff = vma_m->vm_pgoff; + len = vma_m->vm_end - vma_m->vm_start; + } +#endif + if (file && (!file->f_op || !file->f_op->mmap)) return -ENODEV; @@ -430,10 +460,35 @@ */ vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) + if (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) { + + if (!file || (prot & PROT_WRITE)) + vm_flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (current->flags & PF_PAX_MPROTECT) { + if (!file || (prot & PROT_WRITE)) + vm_flags &= ~VM_MAYEXEC; + else + vm_flags &= ~VM_MAYWRITE; + +#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC + if (file && (flags & MAP_MIRROR) && (prot & PROT_EXEC)) + vma_m->vm_flags &= ~VM_MAYWRITE; +#endif + + } +#endif + + } +#endif + /* mlock MCL_FUTURE? */ if (vm_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; locked += len; + gr_learn_resource(current, RLIMIT_MEMLOCK, locked); if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur) return -EAGAIN; } @@ -478,6 +533,9 @@ } } + if (!gr_acl_handle_mmap(file, prot)) + return -EACCES; + /* Clear old maps */ munmap_back: vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent); @@ -488,10 +546,16 @@ } /* Check against address space limit. */ +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(vm_flags & VM_MIRROR)) { +#endif + gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len); if ((mm->total_vm << PAGE_SHIFT) + len > current->rlim[RLIMIT_AS].rlim_cur) return -ENOMEM; - +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + } +#endif /* Private writable mapping? Check memory availability.. */ if ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_WRITE && !(flags & MAP_NORESERVE) && @@ -515,6 +579,13 @@ vma->vm_start = addr; vma->vm_end = addr + len; vma->vm_flags = vm_flags; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if ((file || !(current->flags & PF_PAX_PAGEEXEC)) && (vm_flags & (VM_READ|VM_WRITE))) + vma->vm_page_prot = protection_map[(vm_flags | VM_EXEC) & 0x0f]; + else +#endif + vma->vm_page_prot = protection_map[vm_flags & 0x0f]; vma->vm_ops = NULL; vma->vm_pgoff = pgoff; @@ -543,6 +614,14 @@ goto free_vma; } +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (flags & MAP_MIRROR) { + vma_m->vm_flags |= VM_MIRROR; + vma_m->vm_private_data = (void *)(vma->vm_start - vma_m->vm_start); + vma->vm_private_data = (void *)(vma_m->vm_start - vma->vm_start); + } +#endif + /* Can addr have changed?? * * Answer: Yes, several device drivers can do it in their @@ -578,6 +657,9 @@ atomic_inc(&file->f_dentry->d_inode->i_writecount); out: +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(flags & MAP_MIRROR)) +#endif mm->total_vm += len >> PAGE_SHIFT; if (vm_flags & VM_LOCKED) { mm->locked_vm += len >> PAGE_SHIFT; @@ -614,20 +696,49 @@ { struct vm_area_struct *vma; +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && len > SEGMEXEC_TASK_SIZE) + return -ENOMEM; + else +#endif + if (len > TASK_SIZE) return -ENOMEM; +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (!(current->flags & PF_PAX_RANDMMAP) || !filp) +#endif + if (addr) { addr = PAGE_ALIGN(addr); vma = find_vma(current->mm, addr); + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE-len < addr) + return -ENOMEM; +#endif + if (TASK_SIZE - len >= addr && (!vma || addr + len <= vma->vm_start)) return addr; } addr = PAGE_ALIGN(TASK_UNMAPPED_BASE); +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address if requested */ + if (current->flags & PF_PAX_RANDMMAP) + addr += current->mm->delta_mmap; +#endif + for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ + +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE-len < addr) + return -ENOMEM; + else +#endif + if (TASK_SIZE - len < addr) return -ENOMEM; if (!vma || addr + len <= vma->vm_start) @@ -789,6 +900,9 @@ struct vm_area_struct *mpnt; unsigned long end = addr + len; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(area->vm_flags & VM_MIRROR)) +#endif area->vm_mm->total_vm -= len >> PAGE_SHIFT; if (area->vm_flags & VM_LOCKED) area->vm_mm->locked_vm -= len >> PAGE_SHIFT; @@ -912,6 +1026,83 @@ } } +static inline struct vm_area_struct *unmap_vma(struct mm_struct *mm, + unsigned long addr, size_t len, struct vm_area_struct *mpnt, + struct vm_area_struct *extra) +{ + unsigned long st, end, size; + struct file *file = NULL; + + st = addr < mpnt->vm_start ? mpnt->vm_start : addr; + end = addr+len; + end = end > mpnt->vm_end ? mpnt->vm_end : end; + size = end - st; + + if (mpnt->vm_flags & VM_DENYWRITE && + (st != mpnt->vm_start || end != mpnt->vm_end) && + (file = mpnt->vm_file) != NULL) { + atomic_dec(&file->f_dentry->d_inode->i_writecount); + } + remove_shared_vm_struct(mpnt); + zap_page_range(mm, st, size); + + /* + * Fix the mapping, and free the old area if it wasn't reused. + */ + extra = unmap_fixup(mm, mpnt, st, size, extra); + if (file) + atomic_inc(&file->f_dentry->d_inode->i_writecount); + return extra; +} + +static struct vm_area_struct *unmap_vma_list(struct mm_struct *mm, + unsigned long addr, size_t len, struct vm_area_struct *free, + struct vm_area_struct *extra, struct vm_area_struct *prev) +{ + struct vm_area_struct *mpnt; + + /* Ok - we have the memory areas we should free on the 'free' list, + * so release them, and unmap the page range.. + * If the one of the segments is only being partially unmapped, + * it will put new vm_area_struct(s) into the address space. + * In that case we have to be careful with VM_DENYWRITE. + */ + while ((mpnt = free) != NULL) { + free = free->vm_next; + extra = unmap_vma(mm, addr, len, mpnt, extra); + } + + free_pgtables(mm, prev, addr, addr+len); + + return extra; +} + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +static struct vm_area_struct *unmap_vma_mirror_list(struct mm_struct *mm, + unsigned long addr, size_t len, struct vm_area_struct *free_m, + struct vm_area_struct *extra_m) +{ + struct vm_area_struct *mpnt, *prev; + + while ((mpnt = free_m) != NULL) { + unsigned long addr_m, start, end; + + free_m = free_m->vm_next; + + addr_m = addr - (unsigned long)mpnt->vm_private_data; + start = addr_m < mpnt->vm_start ? mpnt->vm_start : addr_m; + end = addr_m+len; + end = end > mpnt->vm_end ? mpnt->vm_end : end; + find_vma_prev(mm, mpnt->vm_start, &prev); + extra_m = unmap_vma(mm, addr_m, len, mpnt, extra_m); + + free_pgtables(mm, prev, start, end); + } + + return extra_m; +} +#endif + /* Munmap is split into 2 main parts -- this part which finds * what needs doing, and the areas themselves, which do the * work. This now handles partial unmappings. @@ -921,6 +1112,10 @@ { struct vm_area_struct *mpnt, *prev, **npp, *free, *extra; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + struct vm_area_struct *free_m, *extra_m; +#endif + if ((addr & ~PAGE_MASK) || addr > TASK_SIZE || len > TASK_SIZE-addr) return -EINVAL; @@ -953,60 +1148,69 @@ if (!extra) return -ENOMEM; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (current->flags & (PF_PAX_SEGMEXEC | PF_PAX_RANDEXEC)) { + extra_m = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); + if (!extra_m) { + kmem_cache_free(vm_area_cachep, extra); + return -ENOMEM; + } + } else + extra_m = NULL; + + free_m = NULL; +#endif + npp = (prev ? &prev->vm_next : &mm->mmap); free = NULL; spin_lock(&mm->page_table_lock); for ( ; mpnt && mpnt->vm_start < addr+len; mpnt = *npp) { + mm->map_count--; *npp = mpnt->vm_next; mpnt->vm_next = free; free = mpnt; rb_erase(&mpnt->vm_rb, &mm->mm_rb); + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (free->vm_flags & VM_MIRROR) { + struct vm_area_struct *mpnt_m, *prev_m, **npp_m; + unsigned long addr_m = free->vm_start + (unsigned long)free->vm_private_data; + + mm->mmap_cache = NULL; /* Kill the cache. */ + mpnt_m = find_vma_prev(mm, addr_m, &prev_m); + if (mpnt_m && mpnt_m->vm_start == addr_m && (mpnt_m->vm_flags & VM_MIRROR)) { + mm->map_count--; + npp_m = (prev_m ? &prev_m->vm_next : &mm->mmap); + *npp_m = mpnt_m->vm_next; + mpnt_m->vm_next = free_m; + free_m = mpnt_m; + rb_erase(&mpnt_m->vm_rb, &mm->mm_rb); + } else + printk("PAX: VMMIRROR: munmap bug in %s, %08lx\n", current->comm, free->vm_start); + } +#endif + } mm->mmap_cache = NULL; /* Kill the cache. */ spin_unlock(&mm->page_table_lock); - /* Ok - we have the memory areas we should free on the 'free' list, - * so release them, and unmap the page range.. - * If the one of the segments is only being partially unmapped, - * it will put new vm_area_struct(s) into the address space. - * In that case we have to be careful with VM_DENYWRITE. - */ - while ((mpnt = free) != NULL) { - unsigned long st, end, size; - struct file *file = NULL; - - free = free->vm_next; + extra = unmap_vma_list(mm, addr, len, free, extra, prev); - st = addr < mpnt->vm_start ? mpnt->vm_start : addr; - end = addr+len; - end = end > mpnt->vm_end ? mpnt->vm_end : end; - size = end - st; - - if (mpnt->vm_flags & VM_DENYWRITE && - (st != mpnt->vm_start || end != mpnt->vm_end) && - (file = mpnt->vm_file) != NULL) { - atomic_dec(&file->f_dentry->d_inode->i_writecount); - } - remove_shared_vm_struct(mpnt); - mm->map_count--; - - zap_page_range(mm, st, size); +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + extra_m = unmap_vma_mirror_list(mm, addr, len, free_m, extra_m); +#endif - /* - * Fix the mapping, and free the old area if it wasn't reused. - */ - extra = unmap_fixup(mm, mpnt, st, size, extra); - if (file) - atomic_inc(&file->f_dentry->d_inode->i_writecount); - } validate_mm(mm); +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (extra_m) + kmem_cache_free(vm_area_cachep, extra_m); +#endif + /* Release the extra vma struct if it wasn't used */ if (extra) kmem_cache_free(vm_area_cachep, extra); - free_pgtables(mm, prev, addr, addr+len); - return 0; } @@ -1015,8 +1219,15 @@ int ret; struct mm_struct *mm = current->mm; +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len)) + return -EINVAL; +#endif + down_write(&mm->mmap_sem); ret = do_munmap(mm, addr, len); + up_write(&mm->mmap_sem); return ret; } @@ -1043,6 +1254,7 @@ if (mm->def_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; locked += len; + gr_learn_resource(current, RLIMIT_MEMLOCK, locked); if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur) return -EAGAIN; } @@ -1059,6 +1271,7 @@ } /* Check against address space limits *after* clearing old maps... */ + gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len); if ((mm->total_vm << PAGE_SHIFT) + len > current->rlim[RLIMIT_AS].rlim_cur) return -ENOMEM; @@ -1071,6 +1284,17 @@ flags = VM_DATA_DEFAULT_FLAGS | mm->def_flags; +#if defined(CONFIG_GRKERNSEC_PAX_PAGEEXEC) || defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) + if (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) { + flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (current->flags & PF_PAX_MPROTECT) + flags &= ~VM_MAYEXEC; +#endif + + } +#endif /* Can we just expand an old anonymous mapping? */ if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len, flags)) goto out; @@ -1086,6 +1310,12 @@ vma->vm_start = addr; vma->vm_end = addr + len; vma->vm_flags = flags; + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (!(current->flags & PF_PAX_PAGEEXEC) && (flags & (VM_READ|VM_WRITE))) + vma->vm_page_prot = protection_map[(flags | VM_EXEC) & 0x0f]; + else +#endif vma->vm_page_prot = protection_map[flags & 0x0f]; vma->vm_ops = NULL; vma->vm_pgoff = 0; diff -urN linux-2.4.20/mm/mprotect.c linux-2.4.20/mm/mprotect.c --- linux-2.4.20/mm/mprotect.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/mm/mprotect.c 2003-02-12 23:36:37.000000000 -0500 @@ -7,6 +7,12 @@ #include #include #include +#include + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT +#include +#include +#endif #include #include @@ -236,8 +242,39 @@ return 0; } +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) +static int __mprotect_fixup(struct vm_area_struct * vma, struct vm_area_struct ** pprev, + unsigned long start, unsigned long end, unsigned int newflags); + +static int mprotect_fixup(struct vm_area_struct * vma, struct vm_area_struct ** pprev, + unsigned long start, unsigned long end, unsigned int newflags) +{ + if (vma->vm_flags & VM_MIRROR) { + struct vm_area_struct * vma_m, * prev_m; + unsigned long start_m, end_m; + + start_m = vma->vm_start + (unsigned long)vma->vm_private_data; + vma_m = find_vma_prev(vma->vm_mm, start_m, &prev_m); + if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) { + start_m = start + (unsigned long)vma->vm_private_data; + end_m = end + (unsigned long)vma->vm_private_data; + if ((current->flags & PF_PAX_SEGMEXEC) && !(newflags & VM_EXEC)) + __mprotect_fixup(vma_m, &prev_m, start_m, end_m, vma_m->vm_flags & ~(PROT_READ | PROT_WRITE | PROT_EXEC)); + else + __mprotect_fixup(vma_m, &prev_m, start_m, end_m, newflags); + } else + printk("PAX: VMMIRROR: mprotect bug in %s, %08lx\n", current->comm, vma->vm_start); + } + + return __mprotect_fixup(vma, pprev, start, end, newflags); +} + +static int __mprotect_fixup(struct vm_area_struct * vma, struct vm_area_struct ** pprev, + unsigned long start, unsigned long end, unsigned int newflags) +#else static int mprotect_fixup(struct vm_area_struct * vma, struct vm_area_struct ** pprev, unsigned long start, unsigned long end, unsigned int newflags) +#endif { pgprot_t newprot; int error; @@ -246,6 +283,12 @@ *pprev = vma; return 0; } + +#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC + if (!(current->flags & PF_PAX_PAGEEXEC) && (newflags & (VM_READ|VM_WRITE))) + newprot = protection_map[(newflags | VM_EXEC) & 0xf]; + else +#endif newprot = protection_map[newflags & 0xf]; if (start == vma->vm_start) { if (end == vma->vm_end) @@ -264,6 +307,61 @@ return 0; } +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT +/* PaX: non-PIC ELF libraries need relocations on their executable segments + * therefore we'll grant them VM_MAYWRITE once during their life. + * + * The checks favor ld-linux.so behaviour which operates on a per ELF segment + * basis because we want to allow the common case and not the special ones. + */ +static inline void pax_handle_maywrite(struct vm_area_struct * vma, unsigned long start) +{ + struct elfhdr elf_h; + struct elf_phdr elf_p, p_dyn; + elf_dyn dyn; + unsigned long i, j = 65536UL / sizeof(struct elf_phdr); + +#ifndef CONFIG_GRKERNSEC_PAX_NOELFRELOCS + if ((vma->vm_start != start) || + !vma->vm_file || + !(vma->vm_flags & VM_MAYEXEC) || + (vma->vm_flags & VM_MAYNOTWRITE)) + return; +#endif + + if (0 > kernel_read(vma->vm_file, 0UL, (char*)&elf_h, sizeof(elf_h)) || + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) || + elf_h.e_type != ET_DYN || + !elf_check_arch(&elf_h) || + elf_h.e_phentsize != sizeof(struct elf_phdr) || + elf_h.e_phnum > j) + return; + + for (i = 0UL; i < elf_h.e_phnum; i++) { + if (0 > kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char*)&elf_p, sizeof(elf_p))) + return; + if (elf_p.p_type == PT_DYNAMIC) { + p_dyn = elf_p; + j = i; + } + } + if (elf_h.e_phnum <= j) + return; + + i = 0UL; + do { + if (0 > kernel_read(vma->vm_file, p_dyn.p_offset + i*sizeof(dyn), (char*)&dyn, sizeof(dyn))) + return; + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) { + vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE; + return; + } + i++; + } while (dyn.d_tag != DT_NULL); + return; +} +#endif + asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot) { unsigned long nstart, end, tmp; @@ -288,6 +386,16 @@ if (!vma || vma->vm_start > start) goto out; + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) { + error = -EACCES; + goto out; + } + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE)) + pax_handle_maywrite(vma, start); +#endif + for (nstart = start ; ; ) { unsigned int newflags; int last = 0; @@ -300,6 +408,12 @@ goto out; } +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */ + if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE)) { + newflags &= ~VM_MAYWRITE; + } +#endif if (vma->vm_end > end) { error = mprotect_fixup(vma, &prev, nstart, end, newflags); goto out; @@ -332,6 +446,7 @@ prev->vm_mm->map_count--; } out: + up_write(¤t->mm->mmap_sem); return error; } diff -urN linux-2.4.20/mm/mremap.c linux-2.4.20/mm/mremap.c --- linux-2.4.20/mm/mremap.c 2001-09-20 23:31:26.000000000 -0400 +++ linux-2.4.20/mm/mremap.c 2003-02-12 23:36:37.000000000 -0500 @@ -190,6 +190,9 @@ insert_vm_struct(current->mm, new_vma); } do_munmap(current->mm, addr, old_len); +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(new_vma->vm_flags & VM_MIRROR)) +#endif current->mm->total_vm += new_len >> PAGE_SHIFT; if (new_vma->vm_flags & VM_LOCKED) { current->mm->locked_vm += new_len >> PAGE_SHIFT; @@ -227,6 +230,13 @@ old_len = PAGE_ALIGN(old_len); new_len = PAGE_ALIGN(new_len); +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && + (new_len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-new_len || + old_len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-old_len)) + goto out; +#endif + /* new_addr is only valid if MREMAP_FIXED is specified */ if (flags & MREMAP_FIXED) { if (new_addr & ~PAGE_MASK) @@ -237,6 +247,12 @@ if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len) goto out; +#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC + if ((current->flags & PF_PAX_SEGMEXEC) && + (new_len > SEGMEXEC_TASK_SIZE || new_addr > SEGMEXEC_TASK_SIZE-new_len)) + goto out; +#endif + /* Check if the location we're moving into overlaps the * old location at all, and fail if it does. */ @@ -267,6 +283,13 @@ vma = find_vma(current->mm, addr); if (!vma || vma->vm_start > addr) goto out; + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if ((current->flags & (PF_PAX_SEGMEXEC | PF_PAX_RANDEXEC)) && + (vma->vm_flags & VM_MIRROR)) + return -EINVAL; +#endif + /* We can't remap across vm area boundaries */ if (old_len > vma->vm_end - addr) goto out; @@ -278,13 +301,22 @@ unsigned long locked = current->mm->locked_vm << PAGE_SHIFT; locked += new_len - old_len; ret = -EAGAIN; + gr_learn_resource(current, RLIMIT_MEMLOCK, locked); if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur) goto out; } ret = -ENOMEM; + +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(vma->vm_flags & VM_MIRROR)) { +#endif + gr_learn_resource(current, RLIMIT_AS, (current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len)); if ((current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len) > current->rlim[RLIMIT_AS].rlim_cur) goto out; +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + } +#endif /* Private writable mapping? Check memory availability.. */ if ((vma->vm_flags & (VM_SHARED | VM_WRITE)) == VM_WRITE && !(flags & MAP_NORESERVE) && @@ -306,6 +338,9 @@ spin_lock(&vma->vm_mm->page_table_lock); vma->vm_end = addr + new_len; spin_unlock(&vma->vm_mm->page_table_lock); +#if defined(CONFIG_GRKERNSEC_PAX_SEGMEXEC) || defined(CONFIG_GRKERNSEC_PAX_RANDEXEC) + if (!(vma->vm_flags & VM_MIRROR)) +#endif current->mm->total_vm += pages; if (vma->vm_flags & VM_LOCKED) { current->mm->locked_vm += pages; diff -urN linux-2.4.20/mm/shmem.c linux-2.4.20/mm/shmem.c --- linux-2.4.20/mm/shmem.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/mm/shmem.c 2003-02-12 23:36:37.000000000 -0500 @@ -822,6 +822,8 @@ */ err = -EFBIG; if (limit != RLIM_INFINITY) { + gr_learn_resource(current, RLIMIT_FSIZE, pos); + if (pos >= limit) { send_sig(SIGXFSZ, current, 0); goto out; diff -urN linux-2.4.20/net/ipv4/af_inet.c linux-2.4.20/net/ipv4/af_inet.c --- linux-2.4.20/net/ipv4/af_inet.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/net/ipv4/af_inet.c 2003-02-12 23:36:37.000000000 -0500 @@ -83,6 +83,7 @@ #include #include #include +#include #include #include @@ -374,7 +375,12 @@ else sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT; - sk->protinfo.af_inet.id = 0; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif + sk->protinfo.af_inet.id = 0; sock_init_data(sock,sk); diff -urN linux-2.4.20/net/ipv4/icmp.c linux-2.4.20/net/ipv4/icmp.c --- linux-2.4.20/net/ipv4/icmp.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/net/ipv4/icmp.c 2003-02-12 23:36:37.000000000 -0500 @@ -87,6 +87,8 @@ #include #include #include +#include + #include #include #include @@ -742,6 +744,12 @@ icmp_param.data.icmph=*skb->h.icmph; icmp_param.data.icmph.type=ICMP_ECHOREPLY; + +#ifdef CONFIG_GRKERNSEC_RANDPING + if(grsec_enable_randping) + icmp_param.data.icmph.un.echo.id = skb->h.icmph->un.echo.id; +#endif + icmp_param.skb=skb; icmp_param.offset=0; icmp_param.data_len=skb->len; diff -urN linux-2.4.20/net/ipv4/ip_output.c linux-2.4.20/net/ipv4/ip_output.c --- linux-2.4.20/net/ipv4/ip_output.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/net/ipv4/ip_output.c 2003-02-12 23:36:37.000000000 -0500 @@ -77,6 +77,7 @@ #include #include #include +#include /* * Shall we try to damage output packets if routing dev changes? @@ -511,7 +512,13 @@ * Begin outputting the bytes. */ - id = sk->protinfo.af_inet.id++; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) { + id = htons(ip_randomid()); + sk->protinfo.af_inet.id = htons(ip_randomid()); + } else +#endif + id = sk->protinfo.af_inet.id++; do { char *data; diff -urN linux-2.4.20/net/ipv4/netfilter/Config.in linux-2.4.20/net/ipv4/netfilter/Config.in --- linux-2.4.20/net/ipv4/netfilter/Config.in 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/net/ipv4/netfilter/Config.in 2003-02-12 23:36:37.000000000 -0500 @@ -30,6 +30,7 @@ dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES + dep_tristate ' stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then dep_tristate ' Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES fi diff -urN linux-2.4.20/net/ipv4/netfilter/Makefile linux-2.4.20/net/ipv4/netfilter/Makefile --- linux-2.4.20/net/ipv4/netfilter/Makefile 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/net/ipv4/netfilter/Makefile 2003-02-12 23:36:37.000000000 -0500 @@ -75,6 +75,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o # targets obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o diff -urN linux-2.4.20/net/ipv4/netfilter/ipt_stealth.c linux-2.4.20/net/ipv4/netfilter/ipt_stealth.c --- linux-2.4.20/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.20/net/ipv4/netfilter/ipt_stealth.c 2003-02-12 23:36:37.000000000 -0500 @@ -0,0 +1,107 @@ +/* Kernel module to add stealth support. + * + * Copyright (C) 2002 Brad Spengler + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +MODULE_LICENSE("GPL"); + +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); + +static int +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop) +{ + struct iphdr *ip = skb->nh.iph; + struct tcphdr *th = (struct tcphdr *) hdr; + struct udphdr *uh = (struct udphdr *) hdr; + struct sock *sk = NULL; + + if (!ip || !hdr || offset) return 0; + + switch(ip->protocol) { + case IPPROTO_TCP: + if (datalen < sizeof(struct tcphdr)) { + *hotdrop = 1; + return 0; + } + if (!(th->syn && !th->ack)) return 0; + sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif); + break; + case IPPROTO_UDP: + if (datalen < sizeof(struct udphdr)) { + *hotdrop = 1; + return 0; + } + sk = udp_v4_lookup(ip->saddr, uh->source, ip->daddr, uh->dest, skb->dev->ifindex); + break; + default: + return 0; + } + + if(!sk) // port is being listened on, match this + return 1; + else + return 0; +} + +/* Called when user tries to insert an entry of this type. */ +static int +checkentry(const char *tablename, + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) +{ + if (matchsize != IPT_ALIGN(0)) + return 0; + + if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) || + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO))) + && (hook_mask & (1 << NF_IP_LOCAL_IN))) + return 1; + + printk("stealth: Only works on TCP and UDP for the INPUT chain.\n"); + + return 0; +} + + +static struct ipt_match stealth_match += { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE }; + +static int __init init(void) +{ + return ipt_register_match(&stealth_match); +} + +static void __exit fini(void) +{ + ipt_unregister_match(&stealth_match); +} + +module_init(init); +module_exit(fini); diff -urN linux-2.4.20/net/ipv4/tcp_ipv4.c linux-2.4.20/net/ipv4/tcp_ipv4.c --- linux-2.4.20/net/ipv4/tcp_ipv4.c 2002-11-28 18:53:15.000000000 -0500 +++ linux-2.4.20/net/ipv4/tcp_ipv4.c 2003-02-12 23:36:37.000000000 -0500 @@ -62,6 +62,7 @@ #include #include #include +#include extern int sysctl_ip_dynaddr; extern int sysctl_ip_default_ttl; @@ -214,9 +215,18 @@ spin_lock(&tcp_portalloc_lock); rover = tcp_port_rover; - do { rover++; - if ((rover < low) || (rover > high)) - rover = low; + do { +#ifdef CONFIG_GRKERNSEC_RANDSRC + if (grsec_enable_randsrc && (high > low)) { + rover = low + (arc4random() % (high - low)); + } else +#endif + { + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } + head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); for (tb = head->chain; tb; tb = tb->next) @@ -534,6 +544,11 @@ static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb) { +#ifdef CONFIG_GRKERNSEC_RANDISN + if (likely(grsec_enable_randisn)) + return ip_randomisn(); + else +#endif return secure_tcp_sequence_number(skb->nh.iph->daddr, skb->nh.iph->saddr, skb->h.th->dest, @@ -669,9 +684,16 @@ rover = tcp_port_rover; do { - rover++; - if ((rover < low) || (rover > high)) - rover = low; +#ifdef CONFIG_GRKERNSEC_RANDSRC + if(grsec_enable_randsrc && (high > low)) { + rover = low + (arc4random() % (high - low)); + } else +#endif + { + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); @@ -832,11 +854,22 @@ if (err) goto failure; - if (!tp->write_seq) + if (!tp->write_seq) { +#ifdef CONFIG_GRKERNSEC_RANDISN + if (likely(grsec_enable_randisn)) + tp->write_seq = ip_randomisn(); + else +#endif tp->write_seq = secure_tcp_sequence_number(sk->saddr, sk->daddr, sk->sport, usin->sin_port); + } - sk->protinfo.af_inet.id = tp->write_seq^jiffies; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif + sk->protinfo.af_inet.id = tp->write_seq^jiffies; err = tcp_connect(sk); if (err) @@ -1561,7 +1594,13 @@ newtp->ext_header_len = 0; if (newsk->protinfo.af_inet.opt) newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen; - newsk->protinfo.af_inet.id = newtp->write_seq^jiffies; + +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + newsk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif + newsk->protinfo.af_inet.id = newtp->write_seq^jiffies; tcp_sync_mss(newsk, dst->pmtu); newtp->advmss = dst->advmss; diff -urN linux-2.4.20/net/ipv4/udp.c linux-2.4.20/net/ipv4/udp.c --- linux-2.4.20/net/ipv4/udp.c 2002-08-02 20:39:46.000000000 -0400 +++ linux-2.4.20/net/ipv4/udp.c 2003-02-12 23:36:37.000000000 -0500 @@ -87,6 +87,7 @@ #include #include #include +#include #include #include #include @@ -94,6 +95,11 @@ #include #include +extern int gr_search_udp_recvmsg(const struct sock *sk, + const struct sk_buff *skb); +extern int gr_search_udp_sendmsg(const struct sock *sk, + const struct sockaddr_in *addr); + /* * Snmp MIB for the UDP layer */ @@ -463,9 +469,16 @@ ufh.uh.dest = usin->sin_port; if (ufh.uh.dest == 0) return -EINVAL; + + if (!gr_search_udp_sendmsg(sk, usin)) + return -EPERM; } else { if (sk->state != TCP_ESTABLISHED) return -ENOTCONN; + + if (!gr_search_udp_sendmsg(sk, NULL)) + return -EPERM; + ufh.daddr = sk->daddr; ufh.uh.dest = sk->dport; /* Open fast path for connected socket. @@ -473,6 +486,7 @@ */ connected = 1; } + ipc.addr = sk->saddr; ufh.uh.source = sk->sport; @@ -644,6 +658,11 @@ if (!skb) goto out; + if (!gr_search_udp_recvmsg(sk, skb)) { + err = -EPERM; + goto out_free; + } + copied = skb->len - sizeof(struct udphdr); if (copied > len) { copied = len; @@ -748,7 +767,13 @@ sk->daddr = rt->rt_dst; sk->dport = usin->sin_port; sk->state = TCP_ESTABLISHED; - sk->protinfo.af_inet.id = jiffies; + +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif + sk->protinfo.af_inet.id = jiffies; sk_dst_set(sk, &rt->u.dst); return(0); diff -urN linux-2.4.20/net/netlink/af_netlink.c linux-2.4.20/net/netlink/af_netlink.c --- linux-2.4.20/net/netlink/af_netlink.c 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/net/netlink/af_netlink.c 2003-02-12 23:36:37.000000000 -0500 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include @@ -612,7 +613,8 @@ check them, when this message will be delivered to corresponding kernel module. --ANK (980802) */ - NETLINK_CB(skb).eff_cap = current->cap_effective; + + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(); err = -EFAULT; if (memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len)) { diff -urN linux-2.4.20/net/netsyms.c linux-2.4.20/net/netsyms.c --- linux-2.4.20/net/netsyms.c 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/net/netsyms.c 2003-02-12 23:36:37.000000000 -0500 @@ -24,6 +24,7 @@ #include #include #include +#include #ifdef CONFIG_HIPPI #include #endif @@ -591,6 +592,49 @@ EXPORT_SYMBOL(softnet_data); +#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE) +#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE) +EXPORT_SYMBOL(tcp_v4_lookup_listener); +#endif +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); +EXPORT_SYMBOL(udp_v4_lookup); +#endif + +#if defined(CONFIG_GRKERNSEC_RANDID) +EXPORT_SYMBOL(ip_randomid); +#endif +#if defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDRPC) +EXPORT_SYMBOL(arc4random); +#endif +#ifdef CONFIG_GRKERNSEC_RANDISN +EXPORT_SYMBOL(ip_randomisn); +EXPORT_SYMBOL(grsec_enable_randisn); +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +EXPORT_SYMBOL(grsec_enable_randid); +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +EXPORT_SYMBOL(grsec_enable_randsrc); +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +EXPORT_SYMBOL(grsec_enable_randrpc); +#endif + +EXPORT_SYMBOL(gr_cap_rtnetlink); + +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb); +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr); + +EXPORT_SYMBOL(gr_search_udp_recvmsg); +EXPORT_SYMBOL(gr_search_udp_sendmsg); + +#ifdef CONFIG_UNIX_MODULE +EXPORT_SYMBOL(gr_acl_handle_unix); +EXPORT_SYMBOL(gr_acl_handle_mknod); +EXPORT_SYMBOL(gr_handle_chroot_unix); +EXPORT_SYMBOL(gr_handle_create); +#endif + #if defined(CONFIG_NET_RADIO) || defined(CONFIG_NET_PCMCIA_RADIO) #include EXPORT_SYMBOL(wireless_send_event); diff -urN linux-2.4.20/net/socket.c linux-2.4.20/net/socket.c --- linux-2.4.20/net/socket.c 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/net/socket.c 2003-02-12 23:36:37.000000000 -0500 @@ -85,6 +85,18 @@ #include #include +extern void gr_attach_curr_ip(const struct sock *sk); +extern int gr_handle_sock_all(const int family, const int type, + const int protocol); +extern int gr_handle_sock_server(const struct sockaddr *sck); +extern int gr_handle_sock_client(const struct sockaddr *sck); +extern int gr_search_connect(const struct socket * sock, + const struct sockaddr_in * addr); +extern int gr_search_bind(const struct socket * sock, + const struct sockaddr_in * addr); +extern int gr_search_socket(const int domain, const int type, + const int protocol); + static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static ssize_t sock_read(struct file *file, char *buf, size_t size, loff_t *ppos); @@ -699,6 +711,7 @@ int sock_close(struct inode *inode, struct file *filp) { + struct socket *sock; /* * It was possible the inode is NULL we were * closing an unfinished socket. @@ -709,8 +722,21 @@ printk(KERN_DEBUG "sock_close: NULL inode\n"); return 0; } + sock = socki_lookup(inode); + sock_fasync(-1, filp, 0); + +#ifdef CONFIG_GRKERNSEC + if (unlikely(current->used_accept && sock->sk && + (sock->sk->protocol == IPPROTO_TCP) && + (sock->sk->daddr == current->curr_ip))) { + current->used_accept = 0; + current->curr_ip = 0; + } +#endif + sock_release(socki_lookup(inode)); + return 0; } @@ -903,6 +929,16 @@ int retval; struct socket *sock; + if(!gr_search_socket(family, type, protocol)) { + retval = -EACCES; + goto out; + } + + if (gr_handle_sock_all(family, type, protocol)) { + retval = -EACCES; + goto out; + } + retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; @@ -998,12 +1034,26 @@ { struct socket *sock; char address[MAX_SOCK_ADDR]; + struct sockaddr * sck; int err; if((sock = sockfd_lookup(fd,&err))!=NULL) { - if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) + if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) { + sck = (struct sockaddr *) address; + + if(!gr_search_bind(sock, (struct sockaddr_in *) sck)) { + sockfd_put(sock); + return -EACCES; + } + + if (gr_handle_sock_server(sck)) { + sockfd_put(sock); + return -EACCES; + } + err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen); + } sockfd_put(sock); } return err; @@ -1079,6 +1129,8 @@ if ((err = sock_map_fd(newsock)) < 0) goto out_release; + gr_attach_curr_ip(newsock->sk); + out_put: sockfd_put(sock); out: @@ -1106,6 +1158,7 @@ { struct socket *sock; char address[MAX_SOCK_ADDR]; + struct sockaddr * sck; int err; sock = sockfd_lookup(fd, &err); @@ -1114,6 +1167,24 @@ err = move_addr_to_kernel(uservaddr, addrlen, address); if (err < 0) goto out_put; + + sck = (struct sockaddr *) address; + + if (!gr_search_connect(sock, (struct sockaddr_in *) sck)) { + err = -EACCES; + goto out_put; + } + + if (gr_handle_sock_client(sck)) { + err = -EACCES; + goto out_put; + } + +#ifdef CONFIG_GRKERNSEC + if (sock->sk->protocol == IPPROTO_TCP) + current->used_connect = 1; +#endif + err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen, sock->file->f_flags); out_put: @@ -1333,6 +1404,14 @@ err=sock->ops->shutdown(sock, how); sockfd_put(sock); } + +#ifdef CONFIG_GRKERNSEC + if (likely(!err && current->used_accept)) { + current->used_accept = 0; + current->curr_ip = 0; + } +#endif + return err; } diff -urN linux-2.4.20/net/sunrpc/xprt.c linux-2.4.20/net/sunrpc/xprt.c --- linux-2.4.20/net/sunrpc/xprt.c 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/net/sunrpc/xprt.c 2003-02-12 23:36:37.000000000 -0500 @@ -59,6 +59,7 @@ #include #include #include +#include #include #include @@ -1255,7 +1256,14 @@ req->rq_timeout = xprt->timeout; req->rq_task = task; req->rq_xprt = xprt; - req->rq_xid = xid++; + +#ifdef CONFIG_GRKERNSEC_RANDRPC + if(grsec_enable_randrpc) + req->rq_xid = arc4random(); + else +#endif + req->rq_xid = xid++; + if (!xid) xid++; INIT_LIST_HEAD(&req->rq_list); diff -urN linux-2.4.20/net/unix/af_unix.c linux-2.4.20/net/unix/af_unix.c --- linux-2.4.20/net/unix/af_unix.c 2002-11-28 18:53:16.000000000 -0500 +++ linux-2.4.20/net/unix/af_unix.c 2003-02-12 23:36:37.000000000 -0500 @@ -109,6 +109,7 @@ #include #include #include +#include #include @@ -599,6 +600,11 @@ if (err) goto put_fail; + if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) { + err = -EACCES; + goto put_fail; + } + err = -ECONNREFUSED; if (!S_ISSOCK(nd.dentry->d_inode->i_mode)) goto put_fail; @@ -622,6 +628,13 @@ if (u) { struct dentry *dentry; dentry = u->protinfo.af_unix.dentry; + + if (!gr_handle_chroot_unix(u->peercred.pid)) { + err = -EPERM; + sock_put(u); + goto fail; + } + if (dentry) UPDATE_ATIME(dentry->d_inode); } else @@ -720,9 +733,19 @@ * All right, let's create it. */ mode = S_IFSOCK | (sock->inode->i_mode & ~current->fs->umask); + + if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt)) { + err = -EACCES; + goto out_mknod_dput; + } + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); + if (err) goto out_mknod_dput; + + gr_handle_create(dentry, nd.mnt); + up(&nd.dentry->d_inode->i_sem); dput(nd.dentry); nd.dentry = dentry; @@ -740,6 +763,10 @@ goto out_unlock; } +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX + sk->peercred.pid = current->pid; +#endif + list = &unix_socket_table[addr->hash]; } else { list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)]; @@ -866,6 +893,9 @@ int st; int err; long timeo; +#ifdef CONFIG_GRKERNSEC + struct task_struct *p, **htable; +#endif err = unix_mkname(sunaddr, addr_len, &hash); if (err < 0) @@ -989,6 +1019,17 @@ /* Set credentials */ sk->peercred = other->peercred; +#ifdef CONFIG_GRKERNSEC + read_lock(&tasklist_lock); + htable = &pidhash[pid_hashfn(other->peercred.pid)]; + for (p = *htable; p && p->pid != other->peercred.pid; p = p->pidhash_next); + if (p) { + p->curr_ip = current->curr_ip; + p->used_accept = 1; + } + read_unlock(&tasklist_lock); +#endif + sock_hold(newsk); unix_peer(sk)=newsk; sock->state=SS_CONNECTED;